-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0919
               VMware Security Advisories - VMSA-2020-0004.1
                               16 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware Workstation Pro / Player (Workstation)
                   VMware Fusion Pro / Fusion (Fusion)
                   VMware Horizon Client for Windows
                   VMware Remote Console for Windows (VMRC for Windows)
Publisher:         VMWare
Operating System:  Windows
                   OS X
                   Virtualisation
Impact/Access:     Increased Privileges   -- Existing Account
                   Modify Arbitrary Files -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3948 CVE-2020-3947 CVE-2019-5543

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2020-0004.html

- --------------------------BEGIN INCLUDED TEXT--------------------

VMware Security Advisories

+--------+--------------------------------------------------------------------+
|Advisory|VMSA-2020-0004.1                                                    |
|ID      |                                                                    |
+--------+--------------------------------------------------------------------+
|Advisory|Critical                                                            |
|Severity|                                                                    |
+--------+--------------------------------------------------------------------+
|CVSSv3  |7.3-9.3                                                             |
|Range   |                                                                    |
+--------+--------------------------------------------------------------------+
|        |VMware Horizon Client, VMRC, VMware Workstation and Fusion updates  |
|Synopsis|address use-after-free and privilege escalation vulnerabilities     |
|        |(CVE-2019-5543, CVE-2020-3947, CVE-2020-3948)                       |
+--------+--------------------------------------------------------------------+
|Issue   |2020-03-12                                                          |
|Date    |                                                                    |
+--------+--------------------------------------------------------------------+
|Updated |2020-03-14                                                          |
|On      |                                                                    |
+--------+--------------------------------------------------------------------+
|CVE(s)  |CVE-2019-5543, CVE-2020-3947 , CVE-2020-3948                        |
+--------+--------------------------------------------------------------------+

1. Impacted Products

  o VMware Workstation Pro / Player (Workstation)
  o VMware Fusion Pro / Fusion (Fusion)
  o VMware Horizon Client for Windows
  o VMware Remote Console for Windows (VMRC for Windows)

2. Introduction

VMware Horizon Client, VMRC, VMware Workstation and Fusion
contain use-after-free and privilege escalation vulnerabilities. Patches are
available to remediate these vulnerabilities in affected VMware products.
 

3a. Use-after-free vulnerability in vmnetdhcp (CVE-2020-3947)

Description:

VMware Workstation and Fusion contain a use-after vulnerability in
vmnetdhcp.VMware has evaluated the severity of this issue to be in the Critical
severity range with a maximum CVSSv3 base score of 9.3.


Known Attack Vectors:

Successful exploitation of this issue may lead to code execution on the host
from the guest or may allow attackers to create a denial-of-service condition
of the vmnetdhcp service running on the host machine.


Resolution:

To remediate CVE-2020-3947, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.  


Workarounds:

None.


Additional Documentations:

None.

Acknowledgements:

VMware would like to thank Anonymous working with Trend Micro Zero Day
Initiative for reporting this issue to us.

Resolution Matrix:

+-----------+-------+-------+-------------+------+--------+-------+-----------+----------+
|Product    |Version|Running|CVE          |CVSSV3|Severity|Fixed  |Workarounds|Additional|
|           |       |On     |Identifier   |      |        |Version|           |Documents |
+-----------+-------+-------+-------------+------+--------+-------+-----------+----------+
|Workstation|15.x   |Any    |CVE-2020-3947|9.3   |Critical|15.5.2 |None       |None      |
+-----------+-------+-------+-------------+------+--------+-------+-----------+----------+
|Fusion     |11.x   |OS X   |CVE-2020-3947|9.3   |Critical|11.5.2 |None       |None      |
+-----------+-------+-------+-------------+------+--------+-------+-----------+----------+

3b. Local Privilege escalation vulnerability in Cortado Thinprint
(CVE-2020-3948)

Description:

Linux Guest VMs running on VMware Workstation and Fusion contain a local
privilege escalation vulnerability due to improper file permissions in Cortado
Thinprint. VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of 7.8. Exploitation
is only possible if virtual printing is enabled in the Guest VM. Virtual
printing is not enabled by default on Workstation and Fusion.

Known Attack Vectors:

Local attackers with non-administrative access to a Linux guest VM with virtual
printing enabled may exploit this issue to elevate their privileges to root on
the same guest VM.

Resolution:

To remediate CVE-2020-3948, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below and uninstall and reinstall
VMware Virtual Printer for each VM.

Workarounds:

None.

Additional Documentations:

None.

Acknowledgements:

VMware would like to thank Reno Robert working with Trend Micro Zero Day
Initiative for reporting this issue to us.

Resolution Matrix:

+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Product    |Version|Running|CVE          |CVSSV3|Severity |Fixed  |Workarounds|Additional|
|           |       |On     |Identifier   |      |         |Version|           |Documents |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Workstation|15.x   |Any    |CVE-2020-3948|7.8   |Important|15.5.2 |None       |None      |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Fusion     |11.x   |OS X   |CVE-2020-3948|7.8   |Important|11.5.2 |None       |None      |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+

3c. VMware Horizon Client, VMRC and
Workstation privilege escalation vulnerability (CVE-2019-5543)

Description:

For VMware Horizon Client for Windows, VMRC for Windows and Workstation for
Windows the folder containing configuration files for the VMware USB
arbitration service was found to be writable by all users. VMware has evaluated
the severity of this issue to be in the Important severity range with a maximum
CVSSv3 base score of 7.3.

Known Attack Vectors:

A local user on the system where the software is installed may exploit this
issue to run commands as any user.

Resolution:

To remediate CVE-2019-5543 update to the versions listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.

Workarounds:

None.
 
Additional Documentations:

None.

Acknowledgements:

VMware would like to thank Lasse Trolle Borup of Danish Cyber Defence for
reporting this issue to us.

Resolution Matrix:

+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Product    |Version|Running|CVE          |CVSSV3|Severity |Fixed  |Workarounds|Additional|
|           |       |On     |Identifier   |      |         |Version|           |Documents |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Horizon    |5.x and|       |             |      |         |       |           |          |
|Client for |prior  |Windows|CVE-2019-5543|7.3   |Important|5.3.0  |None       |None      |
|Windows    |       |       |             |      |         |       |           |          |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|VMRC for   |10.x   |Windows|CVE-2019-5543|7.3   |Important|11.0.0 |None       |None      |
|Windows    |       |       |             |      |         |       |           |          |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Workstation|15.x   |Windows|CVE-2019-5543|7.3   |Important|15.5.2 |None       |None      |
|for Windows|       |       |             |      |         |       |           |          |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+

4. References

Fixed Version(s) and Release Notes:

VMware Workstation Pro 15.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation

https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

VMware Horizon Client for Windows 5.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=CART20FQ4_WIN_530&
productId=863
https://docs.vmware.com/en/VMware-Horizon-Client/index.html

VMware Remote Console for Windows 11.0.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1100&productId=742
https://docs.vmware.com/en/VMware-Remote-Console/index.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3947
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3948

FIRST CVSSv3 Calculator:
CVE-2019-5543-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L
/UI:R/S:U/C:H/I:H/A:H

CVE-2020-3947-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L
/UI:N/S:C/C:H/I:H/A:H
CVE-2020-3948-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L
/UI:N/S:U/C:H/I:H/A:H

5. Change log

2020-03-12: VMSA-2020-0004  

Initial security advisory in conjunction with the release of Workstation 15.5.2
and Fusion 11.5.2.

2020-03-14: VMSA-2020-0004.1
Clarified that the issue is present if virtual printing is enabled and that
VMware Virtual Printer must be reinstalled to remediate the issue.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXm7PfWaOgq3Tt24GAQhVGBAAtiz+XgQ2N6u1Q9OCwifMu0i64WXRy33B
nSd441DvQ3wrXuq0ULZCdUBKTvvFSX2+2YPGCnEslaeLvJHbcQOyAu00xzvHi6Qh
LBBYBlakNz71Eo5tY885dGMXJLuuJTmBRh7/tIWsfTFImR0gZq4sjrdPiVrFAn07
H6dG6FUPZPPjq/SUgZdHiVw7Gqn9IMW/Ry4Jg8WgiA7hnLl2k9a3NwtLUX2Xudwi
iif+ykIYFv64TWLoYA8F5giD3VSUXhCp89bohfESQA4j+qbW4CmIh8zihjdhbO36
YzHMoxY4WtEWYL7V7x2MSlka9RLAo0OW2e5yCLNi1Q6kKkTQuHU2TjjSD1y++a0E
m/bo+4JBWXlt2qrNj6JN2/XRDwkXN+Y8hUhTDbuTPWxtUsOoL6lIOYc19OX+Zltg
Dm9V71wpNzM1lDTUSGfegB2Zm3OIqK/KOQnosYUhxt2bkOBH0Zho1S0OzXb8oL3R
m7u4b9wxTWf/8XC9y0UzFS+i4lRjrpkkien9qEpwzKS3Z8G++Wb6VC+NypVmEmw8
r4HvfgAuVQtdI4Is3D2wWB/T48eIlyQvOvRsp/xMJWDIXCLOa9qG25FCOiI8g9tL
TISMa8aAgvOtloykPCRwKyEayT6Mq/PsfXPenJZEibhI4AznaLen4AE4U+FCKdH3
Md1ywx5chNM=
=8zpJ
-----END PGP SIGNATURE-----