Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0919 VMware Security Advisories - VMSA-2020-0004.1 16 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) VMware Horizon Client for Windows VMware Remote Console for Windows (VMRC for Windows) Publisher: VMWare Operating System: Windows OS X Virtualisation Impact/Access: Increased Privileges -- Existing Account Modify Arbitrary Files -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-3948 CVE-2020-3947 CVE-2019-5543 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2020-0004.html - --------------------------BEGIN INCLUDED TEXT-------------------- VMware Security Advisories +--------+--------------------------------------------------------------------+ |Advisory|VMSA-2020-0004.1 | |ID | | +--------+--------------------------------------------------------------------+ |Advisory|Critical | |Severity| | +--------+--------------------------------------------------------------------+ |CVSSv3 |7.3-9.3 | |Range | | +--------+--------------------------------------------------------------------+ | |VMware Horizon Client, VMRC, VMware Workstation and Fusion updates | |Synopsis|address use-after-free and privilege escalation vulnerabilities | | |(CVE-2019-5543, CVE-2020-3947, CVE-2020-3948) | +--------+--------------------------------------------------------------------+ |Issue |2020-03-12 | |Date | | +--------+--------------------------------------------------------------------+ |Updated |2020-03-14 | |On | | +--------+--------------------------------------------------------------------+ |CVE(s) |CVE-2019-5543, CVE-2020-3947 , CVE-2020-3948 | +--------+--------------------------------------------------------------------+ 1. Impacted Products o VMware Workstation Pro / Player (Workstation) o VMware Fusion Pro / Fusion (Fusion) o VMware Horizon Client for Windows o VMware Remote Console for Windows (VMRC for Windows) 2. Introduction VMware Horizon Client, VMRC, VMware Workstation and Fusion contain use-after-free and privilege escalation vulnerabilities. Patches are available to remediate these vulnerabilities in affected VMware products. 3a. Use-after-free vulnerability in vmnetdhcp (CVE-2020-3947) Description: VMware Workstation and Fusion contain a use-after vulnerability in vmnetdhcp.VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3. Known Attack Vectors: Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine. Resolution: To remediate CVE-2020-3947, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None. Additional Documentations: None. Acknowledgements: VMware would like to thank Anonymous working with Trend Micro Zero Day Initiative for reporting this issue to us. Resolution Matrix: +-----------+-------+-------+-------------+------+--------+-------+-----------+----------+ |Product |Version|Running|CVE |CVSSV3|Severity|Fixed |Workarounds|Additional| | | |On |Identifier | | |Version| |Documents | +-----------+-------+-------+-------------+------+--------+-------+-----------+----------+ |Workstation|15.x |Any |CVE-2020-3947|9.3 |Critical|15.5.2 |None |None | +-----------+-------+-------+-------------+------+--------+-------+-----------+----------+ |Fusion |11.x |OS X |CVE-2020-3947|9.3 |Critical|11.5.2 |None |None | +-----------+-------+-------+-------------+------+--------+-------+-----------+----------+ 3b. Local Privilege escalation vulnerability in Cortado Thinprint (CVE-2020-3948) Description: Linux Guest VMs running on VMware Workstation and Fusion contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Exploitation is only possible if virtual printing is enabled in the Guest VM. Virtual printing is not enabled by default on Workstation and Fusion. Known Attack Vectors: Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM. Resolution: To remediate CVE-2020-3948, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below and uninstall and reinstall VMware Virtual Printer for each VM. Workarounds: None. Additional Documentations: None. Acknowledgements: VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us. Resolution Matrix: +-----------+-------+-------+-------------+------+---------+-------+-----------+----------+ |Product |Version|Running|CVE |CVSSV3|Severity |Fixed |Workarounds|Additional| | | |On |Identifier | | |Version| |Documents | +-----------+-------+-------+-------------+------+---------+-------+-----------+----------+ |Workstation|15.x |Any |CVE-2020-3948|7.8 |Important|15.5.2 |None |None | +-----------+-------+-------+-------------+------+---------+-------+-----------+----------+ |Fusion |11.x |OS X |CVE-2020-3948|7.8 |Important|11.5.2 |None |None | +-----------+-------+-------+-------------+------+---------+-------+-----------+----------+ 3c. VMware Horizon Client, VMRC and Workstation privilege escalation vulnerability (CVE-2019-5543) Description: For VMware Horizon Client for Windows, VMRC for Windows and Workstation for Windows the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3. Known Attack Vectors: A local user on the system where the software is installed may exploit this issue to run commands as any user. Resolution: To remediate CVE-2019-5543 update to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None. Additional Documentations: None. Acknowledgements: VMware would like to thank Lasse Trolle Borup of Danish Cyber Defence for reporting this issue to us. Resolution Matrix: +-----------+-------+-------+-------------+------+---------+-------+-----------+----------+ |Product |Version|Running|CVE |CVSSV3|Severity |Fixed |Workarounds|Additional| | | |On |Identifier | | |Version| |Documents | +-----------+-------+-------+-------------+------+---------+-------+-----------+----------+ |Horizon |5.x and| | | | | | | | |Client for |prior |Windows|CVE-2019-5543|7.3 |Important|5.3.0 |None |None | |Windows | | | | | | | | | +-----------+-------+-------+-------------+------+---------+-------+-----------+----------+ |VMRC for |10.x |Windows|CVE-2019-5543|7.3 |Important|11.0.0 |None |None | |Windows | | | | | | | | | +-----------+-------+-------+-------------+------+---------+-------+-----------+----------+ |Workstation|15.x |Windows|CVE-2019-5543|7.3 |Important|15.5.2 |None |None | |for Windows| | | | | | | | | +-----------+-------+-------+-------------+------+---------+-------+-----------+----------+ 4. References Fixed Version(s) and Release Notes: VMware Workstation Pro 15.5.2 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 15.5.2 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion 11.5.2 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html VMware Horizon Client for Windows 5.3.0 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=CART20FQ4_WIN_530& productId=863 https://docs.vmware.com/en/VMware-Horizon-Client/index.html VMware Remote Console for Windows 11.0.0 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1100&productId=742 https://docs.vmware.com/en/VMware-Remote-Console/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5543 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3947 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3948 FIRST CVSSv3 Calculator: CVE-2019-5543-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L /UI:R/S:U/C:H/I:H/A:H CVE-2020-3947-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L /UI:N/S:C/C:H/I:H/A:H CVE-2020-3948-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L /UI:N/S:U/C:H/I:H/A:H 5. Change log 2020-03-12: VMSA-2020-0004 Initial security advisory in conjunction with the release of Workstation 15.5.2 and Fusion 11.5.2. 2020-03-14: VMSA-2020-0004.1 Clarified that the issue is present if virtual printing is enabled and that VMware Virtual Printer must be reinstalled to remediate the issue. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXm7PfWaOgq3Tt24GAQhVGBAAtiz+XgQ2N6u1Q9OCwifMu0i64WXRy33B nSd441DvQ3wrXuq0ULZCdUBKTvvFSX2+2YPGCnEslaeLvJHbcQOyAu00xzvHi6Qh LBBYBlakNz71Eo5tY885dGMXJLuuJTmBRh7/tIWsfTFImR0gZq4sjrdPiVrFAn07 H6dG6FUPZPPjq/SUgZdHiVw7Gqn9IMW/Ry4Jg8WgiA7hnLl2k9a3NwtLUX2Xudwi iif+ykIYFv64TWLoYA8F5giD3VSUXhCp89bohfESQA4j+qbW4CmIh8zihjdhbO36 YzHMoxY4WtEWYL7V7x2MSlka9RLAo0OW2e5yCLNi1Q6kKkTQuHU2TjjSD1y++a0E m/bo+4JBWXlt2qrNj6JN2/XRDwkXN+Y8hUhTDbuTPWxtUsOoL6lIOYc19OX+Zltg Dm9V71wpNzM1lDTUSGfegB2Zm3OIqK/KOQnosYUhxt2bkOBH0Zho1S0OzXb8oL3R m7u4b9wxTWf/8XC9y0UzFS+i4lRjrpkkien9qEpwzKS3Z8G++Wb6VC+NypVmEmw8 r4HvfgAuVQtdI4Is3D2wWB/T48eIlyQvOvRsp/xMJWDIXCLOa9qG25FCOiI8g9tL TISMa8aAgvOtloykPCRwKyEayT6Mq/PsfXPenJZEibhI4AznaLen4AE4U+FCKdH3 Md1ywx5chNM= =8zpJ -----END PGP SIGNATURE-----