Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2368 VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon Client updates address multiple security vulnerabilities 13 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi VMware Workstation VMware Fusion VMware Remote Console VMware Horizon Client Publisher: VMware Operating System: Mac OS Windows Linux variants Virtualisation Impact/Access: Root Compromise -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-3959 CVE-2020-3958 CVE-2020-3957 Reference: ESB-2020.1892 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2020-0011.html - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory ID: VMSA-2020-0011.1 CVSSv3 Range: 3.3-7.3 Issue Date: 2020-05-28 Updated On: 2020-07-09 CVE(s): CVE-2020-3957, CVE-2020-3958, CVE-2020-3959 Synopsis: VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3957, CVE-2020-3958, CVE-2020-3959) 1. Impacted Products o VMware ESXi o VMware Workstation Pro / Player (Workstation) o VMware Fusion Pro / Fusion (Fusion) o VMware Remote Console for Mac (VMRC for Mac) o VMware Horizon Client for Mac 2. Introduction Multiple security vulnerabilities in VMware ESXi, Workstation, Fusion, VMRC for Mac and Horizon Client for Mac were privately reported to VMware. Patches and workarounds are available to remediate or workaround these vulnerabilities in affected VMware products 3a. Service opener - Time-of-check Time-of-use (TOCTOU) issue (CVE-2020-3957) Description VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOCTOU) issue in the service opener. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3. Known Attack Vectors Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC for Mac or Horizon Client for Mac is installed. Resolution To remediate CVE-2020-3957 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Rich Mirch of TeamARES from Critical Start Inc. and Jeffball of GRIMM for independently reporting this issue to us. Response Matrix Product Version Running CVE CVSSv3 Severity Fixed Workarounds Additional On Identifier Version Documentation Fusion 11.x OS X CVE-2020-3957 7.3 important 11.5.5 None None VMRC 11.x for Mac and OS X CVE-2020-3957 7.3 important 11.2.0 None None prior Horizon 5.x and Client prior OS X CVE-2020-3957 7.3 important 5.4.3 None None for Mac 3b. Denial-of-service vulnerability in Shader functionality (CVE-2020-3958) Description VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.0 Known Attack Vectors Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. Successful exploitation of this issue may allow attackers with non-administrative access to a virtual machine to crash the virtual machine's vmx process leading to a denial of service condition. Resolution To remediate CVE-2020-3958 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2020-3958 have been been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Acknowledgements VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us. Notes None. Response Matrix Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation ESXi 7.0 Any CVE-2020-3958 N/A N/A Unaffected N/A N/A ESXi 6.7 Any CVE-2020-3958 4.0 moderate ESXi670-202004101-SG See Item 34 None ESXi 6.5 Any CVE-2020-3958 4.0 moderate ESXi650-202005401-SG See Item 34 None Workstation 15.x Any CVE-2020-3958 4.0 moderate 15.5.2 KB59146 None Fusion 11.x OS X CVE-2020-3958 4.0 moderate 11.5.2 KB59146 None 3c. Memory leak vulnerability in VMCI module (CVE-2020-3959) Description VMware ESXi, Workstation and Fusion contain a memory leak vulnerability in the VMCI module. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.3. Known Attack Vectors A malicious actor with local non-administrative access to a virtual machine may be able to crash the virtual machine's vmx process leading to a partial denial of service. Resolution To remediate CVE-2020-3959 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Tianwen Tang(VictorV) of Qihoo 360Vulcan Team working with 360 BugCloud for reporting this issue to us. Notes None. Response Matrix Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation ESXi 7.0 Any CVE-2020-3959 N/A N/A Unaffected N/A N/A ESXi 6.7 Any CVE-2020-3959 3.3 low ESXi670-202004101-SG None None ESXi 6.5 Any CVE-2020-3959 3.3 low ESXi650-202005401-SG None None Workstation 15.x Any CVE-2020-3959 3.3 moderate 15.1.0 None None Fusion 11.x OS X CVE-2020-3959 3.3 low 11.1.0 None None 4. References Fixed Version(s) and Release Notes: VMware ESXi 6.7 ESXi670-202004101-SG https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202004002.html VMware ESXi 6.5 ESXi650-202005401-SG https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202005001.html VMware Workstation Pro 15.5.2 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 15.5.2 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion 11.5.5 (Latest) Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html VMware Horizon Client for Mac 5.4.3 Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/info/slug/ desktop_end_user_computing/vmware_horizon_clients/5_0 https://docs.vmware.com/en/VMware-Horizon-Client/index.html VMware Remote Console for Mac 11.2.0 Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VMRC1120& productId=974 https://docs.vmware.com/en/VMware-Remote-Console/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3958 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3959 FIRST CVSSv3 Calculator: CVE-2020-3957- https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/ I:H/A:L CVE-2020-3958- https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/ I:N/A:L CVE-2020-3959 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/ I:N/A:L 5. Change Log 2020-05-28: VMSA-2020-0011 - Initial security advisory. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXwwFFuNLKJtyKPYoAQh7Fg//YXxncnLKiffDet45ul43O5zuEQAIHSmr hnrJykectMCABO/lZES5JYWVVtLMnX3HRaYy3z0DA2tobVwJxbx1VW1bRFbMyGbp iLxT1OYaPQZgeXjn4nGaAsgy55tr1CnXQ7uNlPmIQPY1K0C3C2bCNt6LNfJmJ0Mw J4GKsp2cbUDYcmtuQt8dpl+rchbPmLFXL6yjJhPp4TygX/5FaWjTh9zatY+GOy6c JRbEfkwGVWDor7nDTOP+5eM8lZC9NqNrw3+cHn+Z7HZDALH2qxS3G2IpBno26bgH CB3OU9oB6BYslhHucxunmXdHFOZvMn8hAn4qA2Qri8dBjaijqkEx5+vvXFGNtFmC 8LFS/zYXdzWU/HntQm/NnJAff3ZAoWB3FMhFsmxv9/2+k+gkI/ke1bmSIe4roLbq GUdfXCiWQhajkrD7/RGWSe63WIJsBHEuOIeGygoa5FcQhQ8rdlmXEgxjqtDqrGNx wFdBMuzD+EtSKahflLTv/wJUteRvU+g4AzHZMFDRe4p2/XwcdnfyN3ElEDQqfrHt kVCtXMiBl47zIUncyxy3SUms6plLz0LTvfwVhyhej93uEaIEuFDMI6IUOP3z/1++ aPvQ1kdmAf+o5jH87lSvN2wj1+cMEGmB2DAIQm6/fGS1teT8FAip3B05gbG/BRrG JAiiWhBzFSw= =1uSn -----END PGP SIGNATURE-----