Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2367 VMware Fusion, VMware Remote Console and Horizon Client updates address a privilege escalation vulnerability (CVE-2020-3974) 13 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Fusion Horizon Client VMware Remote Console Publisher: vmware Operating System: Mac OS Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-3974 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2020-0017.html - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory ID: VMSA-2020-0017 CVSSv3 Range: 7.8 Issue Date: 2020-07-09 Updated On: 2020-07-09 (Initial Advisory) CVE(s): CVE-2020-3974 Synopsis: VMware Fusion, VMware Remote Console and Horizon Client updates address a privilege escalation vulnerability (CVE-2020-3974) 1. Impacted Products o VMware Fusion Pro / Fusion (Fusion) o VMware Remote Console for Mac (VMRC for Mac) o VMware Horizon Client for Mac 2. Introduction A privilege escalation vulnerability in VMware Fusion, VMRC for Mac and Horizon Client for Mac was privately reported to VMware. Updates are available to address this vulnerability. 3. XPC Client validation privilege escalation vulnerability (CVE-2020-3974) Description VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a privilege escalation vulnerability due to improper XPC Client validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Known Attack Vectors Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC for Mac or Horizon Client for Mac is installed. Resolution To remediate CVE-2020-3974, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Cees Elzinga of Danish Cyber Defence and Csaba Fitzl (@theevilbit) for independently reporting this issue to us. Response Matrix Product Version Running CVE CVSSv3 Severity Fixed Workarounds Additional On Identifier Version Documentation Fusion 11.x OS X CVE-2020-3974 7.8 important 11.5.5 None None VMRC 11.x for Mac and OS X CVE-2020-3974 7.8 important 11.2.0 None None prior Horizon 5.x and Client prior OS X CVE-2020-3974 7.8 important 5.4.3 None None for Mac 4. References Fixed Version(s) and Release Notes: VMware Fusion 11.5.5 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html VMware Horizon Client for Mac 5.4.3 Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/info/slug/ desktop_end_user_computing/vmware_horizon_clients/5_0 https://docs.vmware.com/en/VMware-Horizon-Client/index.html VMware Remote Console for Mac 11.2.0 Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VMRC1120& productId=974 https://docs.vmware.com/en/VMware-Remote-Console/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3974 FIRST CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/ I:H/A:H 5. Change Log 2020-07-09: VMSA-2020-0017 Initial security advisory. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXwvt1ONLKJtyKPYoAQhkUhAAnuk8OJCUlG7KogL8tyRqL2yW4zrnw3Fr 58Yz2UQFVDan4TtnoxkIpnFgha2xyRzuVEUMLnZ132pIRe1Hy/yKvDyt9p+XIyJE ybTSy5DnzLV69z5Hv2XdIaKOKTNBkedcYZVpNtCvp42sK3+qeol6jFNNq3wT84ab h98RbJt/thEHUMANaXTykVpyeY7vfcBpq29RmjUjES/dy+Twfh/EeIL4EUfHCj1a V41tJ/ZzRUbXTIbjlXxWfmpA+Pg9cV2xgn4dHSgVJS0Oe2B4kKdOHCXYoAxmIKXh GBFiA165UFmH+W8HvGuiXLPx1SQx0LThNugy+ufFvtXSh1IzDwBTUK/8Tp2/UNUR KaUdIUVt/UVldQDUowsmgPpl930FBmDG1XbmU6/hUAKRsMgDq+379DrNs23GeZwa npziHGAlhRho2SkP0SQBavJLRLTnFZGKlegU1ZOMEIccJY9cI1019BYdt9nY4BvD kJpQTDSYC5ZH2lb0BQEWB8RcuFIJfnekgWoxMbj9YDXV/NyE379qLSCAK5x05uPW qafuQ5hk39s26dPx6I/I8PS2tp8BZ90R2AfvXNsr9uPZanrYZNJQ5klHHh0/BpLD wy6+jUCvY+5iezsbnF7T+mgL4IVBRsQdxqqhoQ0Uj4Q3tH7lLFrdfTKN+auSQxM5 jNO5BODWB0M= =Vttf -----END PGP SIGNATURE-----