Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0942.2
VMware Security Advisories - VMSA-2020-0005
20 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Remote Console for Mac (VMRC for Mac)
VMware Horizon Client for Mac
VMware Horizon Client for Windows
Publisher: VMware
Operating System: Windows
OS X
Virtualisation
Impact/Access: Denial of Service -- Existing Account
Root Compromise -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3951 CVE-2020-3950
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2020-0005.html
Revision History: March 20 2020: Security advisory has been updated with additional
instructions found in KB78294 which must be applied after updating
to Fusion 11.5.2 to remediate CVE-2020-3950.
March 18 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
VMware Security Advisories
+--------+--------------------------------------------------------------------+
|Advisory|VMSA-2020-0005.1 |
|ID | |
+--------+--------------------------------------------------------------------+
|Advisory|Important |
|Severity| |
+--------+--------------------------------------------------------------------+
|CVSSv3 |3.2-7.3 |
|Range | |
+--------+--------------------------------------------------------------------+
| |VMware Workstation, Fusion, VMware Remote Console and Horizon Client|
|Synopsis|updates address privilege escalation and denial-of-service |
| |vulnerabilities (CVE-2020-3950, CVE-2020-3951) |
+--------+--------------------------------------------------------------------+
|Issue |2020-03-17 |
|Date | |
+--------+--------------------------------------------------------------------+
|Updated |2020-03-18 |
|On | |
+--------+--------------------------------------------------------------------+
|CVE(s) |CVE-2020-3950, CVE-2020-3951 |
+--------+--------------------------------------------------------------------+
1. Impacted Products
o VMware Workstation Pro / Player (Workstation)
o VMware Fusion Pro / Fusion (Fusion)
o VMware Remote Console for Mac (VMRC for Mac)
o VMware Horizon Client for Mac
o VMware Horizon Client for Windows
2. Introduction
VMware Workstation, Fusion, VMware Remote Console and Horizon Client updates
address privilege escalation and denial-of-service vulnerabilities. Patches are
available to remediate these vulnerabilities in affected VMware products.
3a. Privilege escalation vulnerability via setuid binaries (CVE-2020-3950 )
Description:
VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a privilege
escalation vulnerability due to improper use of setuid binaries. VMware has
evaluated the severity of this issue to be in the Important severity range with
a maximum CVSSv3 base score of 7.3.
Known Attack Vectors:
Successful exploitation of this issue may allow attackers with normal user
privileges to escalate their privileges to root on the system where Fusion,
VMRC or Horizon Client is installed.
Resolution:
Updated 2020-03-18: To remediate CVE-2020-3950 in VMware Remote Console for Mac
(VMRC for Mac) and VMware Horizon Client for Mac, apply the patches listed in
the 'Fixed Version' column of the 'Resolution Matrix' found below.
To remediate CVE-2020-3950 in VMware Fusion, first apply the patches listed in
the 'Fixed Version' column of the 'Resolution Matrix' found below then follow
the instructions found in KB78294 listed in the 'Additional Documentation'
column of the 'Resolution Matrix'. These instruction are needed because the fix
for CVE-2020-3950 in Fusion 11.5.2 was found to be incomplete and addresses the
issue partially.
Workarounds:
None.
Additional Documentations:
See the 'Resolution Matrix'.
Acknowledgements:
VMware would like to thank Jeffball of GRIMM and Rich Mirch for
independently reporting this issue to us.
Resolution Matrix:
+-------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Product|Version|Running|CVE |CVSSV3|Severity |Fixed |Workarounds|Additional|
| | |On |Identifier | | |Version| |Documents |
+-------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Fusion |11.x |OS X |CVE-2020-3950|7.3 |Important|11.5.2*|None |KB78294 |
+-------+-------+-------+-------------+------+---------+-------+-----------+----------+
|VMRC |11.x | | | | | | | |
|for Mac|and |OS X |CVE-2020-3950|7.3 |Important|11.0.1 |None |None |
| |prior | | | | | | | |
+-------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Horizon|5.x and| | | | | | | |
|Client |prior |OS X |CVE-2020-3950|7.3 |Important|5.4.0 |None |None |
|for Mac| | | | | | | | |
+-------+-------+-------+-------------+------+---------+-------+-----------+----------+
* Added 2020-03-18: It was discovered that the fix for CVE-2020-3950 released
with Fusion 11.5.2 was incomplete. The next release of Fusion will contain a
complete fix for CVE-2020-3950 and this advisory will be updated when the new
release is available.
3b. Denial of service vulnerability in Cortado Thinprint (CVE-2020-3951)
Description:
VMware Workstation and Horizon Client for Windows contain a denial-of-service
vulnerability due to a heap-overflow issue in Cortado Thinprint. VMware has
evaluated the severity of this issue to be in the Low severity range with a
maximum CVSSv3 base score of 3.2.
Known Attack Vectors:
Attackers with non-administrative access to a guest VM with virtual
printing enabled may exploit this issue to create a denial-of-service condition
of the Thinprint service running on the system where Workstation or Horizon
Client is installed.
Resolution:
To remediate CVE-2020-3951, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Dhanesh Kizhakkinan of FireEye Inc. for reporting
this issue to us.
Notes:
Exploitation is only possible if virtual printing has been enabled. This
feature is not enabled by default on Workstation but it is enabled by default
on Horizon Client.
Resolution Matrix:
+-----------+-------+-------+-------------+------+--------+--------+-----------+----------+
|Product |Version|Running|CVE |CVSSV3|Severity|Fixed |Workarounds|Additional|
| | |On |Identifier | | |Version | |Documents |
+-----------+-------+-------+-------------+------+--------+--------+-----------+----------+
|Workstation|15.x |Windows|CVE-2020-3951|3.2 |Low |15.5.2 |None |None |
| | | | | | | | | |
+-----------+-------+-------+-------------+------+--------+--------+-----------+----------+
|Workstation|15.x |Linux |CVE-2020-3951|N/A |N/A |Not |N/A |N/A |
| | | | | | |affected| | |
+-----------+-------+-------+-------------+------+--------+--------+-----------+----------+
|Horizon |5.x and| | | | | | | |
|Client for |prior |Windows|CVE-2020-3951|3.2 |Low |5.4.0 |None |None |
|Windows | | | | | | | | |
+-----------+-------+-------+-------------+------+--------+--------+-----------+----------+
4. References
Fixed Version(s) and Release Notes:
VMware Workstation Pro 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware Horizon Client 5.4.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/
vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html
VMware Remote Console for Windows 11.0.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1101&productId=742
https://docs.vmware.com/en/VMware-Remote-Console/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3950
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3951
FIRST CVSSv3 Calculator:
CVE-2020-3950-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L
/UI:N/S:U/C:H/I:H/A:L
CVE-2020-3951-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L
/UI:N/S:C/C:N/I:N/A:L
5. Change log
2020-03-17: VMSA-2020-0005
Initial security advisory in conjunction with the release of VMware Remote
Console 11.0.1 and Horizon Client 5.4.0.
2020-03-18: VMSA-2020-0005.1
Updated security advisory with additional instructions found in KB78294 which
must be applied after updating to Fusion 11.5.2 to remediate CVE-2020-3950.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXnQ4GWaOgq3Tt24GAQjxVQ/+IsQkn+8Xjc88nYIHQIfq1ErUK16Lt21x
IYpn/ClfOGQBiu3hZ5WOSJDisbY9JD9fKn4UjodZWFih+F7y5PPMv6C6N71I0CQt
tNsWaR3IJD62eqxiyT7YfflBh1dkQGwAa6v8xoInBLMAHeY9rYXVvZeI6NKtB9Tl
qzcXL/iIor7CBjUfval9GW5VUq0De9mN/MKHBN3pXWhUNIKRq4BV1UCseaqmzM1C
/SHQ38k7CyoKr9vSyIyQ7dlKj7HBhQ6AMZVC10mLqe1s77XzO+wrhmeulZTsrB3v
cdE0UDeb4n3loD32ViizDiejT0//1pJh+SHx9YvCYlIF8Lkl3yN3bcjAWrzED9uN
p+u1y6SKQqXOakp8TJji/g7sTQsEj53+WDjULD7a4qr86OvXaQ6t4ExsmICyZARD
rQldCxfltNXCYbkBhA3aFr7TJ3MBDvOml5vDDDyRPGYd13aGaJnDzjvO01DKRRlW
7VLFl4TNC7EnRMaRSMo+4sAOcuRepm6pe0cfCok3ncYsg4PgCkTjoLkBfHSxnrQs
jYCUrwiVatFpvRxGYtnBEkyN5on/K88Nofp/0k+bWr/B6E6URogCZ9+IQBY7Uon1
9Yv0uITkv7OYiAsTyb45zyK4H8X1oI+Vc/S73UZP0aylAfkFe2Dyss2rrNqCf2Iu
HHtWEMfDj7A=
=/rmo
-----END PGP SIGNATURE-----