Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2368
VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon Client
updates address multiple security vulnerabilities
13 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware ESXi
VMware Workstation
VMware Fusion
VMware Remote Console
VMware Horizon Client
Publisher: VMware
Operating System: Mac OS
Windows
Linux variants
Virtualisation
Impact/Access: Root Compromise -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3959 CVE-2020-3958 CVE-2020-3957
Reference: ESB-2020.1892
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2020-0011.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory ID: VMSA-2020-0011.1
CVSSv3 Range: 3.3-7.3
Issue Date: 2020-05-28
Updated On: 2020-07-09
CVE(s): CVE-2020-3957, CVE-2020-3958, CVE-2020-3959
Synopsis: VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon
Client updates address multiple security vulnerabilities (CVE-2020-3957,
CVE-2020-3958, CVE-2020-3959)
1. Impacted Products
o VMware ESXi
o VMware Workstation Pro / Player (Workstation)
o VMware Fusion Pro / Fusion (Fusion)
o VMware Remote Console for Mac (VMRC for Mac)
o VMware Horizon Client for Mac
2. Introduction
Multiple security vulnerabilities in VMware ESXi, Workstation, Fusion, VMRC for
Mac and Horizon Client for Mac were privately reported to VMware. Patches and
workarounds are available to remediate or workaround these vulnerabilities in
affected VMware products
3a. Service opener - Time-of-check Time-of-use (TOCTOU) issue (CVE-2020-3957)
Description
VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a local
privilege escalation vulnerability due to a Time-of-check Time-of-use (TOCTOU)
issue in the service opener. VMware has evaluated the severity of this issue
to be in the Important severity range with a maximum CVSSv3 base score of 7.3.
Known Attack Vectors
Successful exploitation of this issue may allow attackers with normal user
privileges to escalate their privileges to root on the system where Fusion,
VMRC for Mac or Horizon Client for Mac is installed.
Resolution
To remediate CVE-2020-3957 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Rich Mirch of TeamARES from Critical Start
Inc. and Jeffball of GRIMM for independently reporting this issue to us.
Response Matrix
Product Version Running CVE CVSSv3 Severity Fixed Workarounds Additional
On Identifier Version Documentation
Fusion 11.x OS X CVE-2020-3957 7.3 important 11.5.5 None None
VMRC 11.x
for Mac and OS X CVE-2020-3957 7.3 important 11.2.0 None None
prior
Horizon 5.x and
Client prior OS X CVE-2020-3957 7.3 important 5.4.3 None None
for Mac
3b. Denial-of-service vulnerability in Shader functionality (CVE-2020-3958)
Description
VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability
in the shader functionality. VMware has evaluated the severity of this issue to
be in the Moderate severity range with a maximum CVSSv3 base score of 4.0
Known Attack Vectors
Exploitation of this issue require an attacker to have access to a virtual
machine with 3D graphics enabled. It is not enabled by default on ESXi and is
enabled by default on Workstation and Fusion.
Successful exploitation of this issue may allow attackers with
non-administrative access to a virtual machine to crash the virtual machine's
vmx process leading to a denial of service condition.
Resolution
To remediate CVE-2020-3958 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2020-3958 have been been listed in the 'Workarounds' column
of the 'Response Matrix' below.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue
to us.
Notes
None.
Response Matrix
Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional
On Identifier Documentation
ESXi 7.0 Any CVE-2020-3958 N/A N/A Unaffected N/A N/A
ESXi 6.7 Any CVE-2020-3958 4.0 moderate ESXi670-202004101-SG See Item 34 None
ESXi 6.5 Any CVE-2020-3958 4.0 moderate ESXi650-202005401-SG See Item 34 None
Workstation 15.x Any CVE-2020-3958 4.0 moderate 15.5.2 KB59146 None
Fusion 11.x OS X CVE-2020-3958 4.0 moderate 11.5.2 KB59146 None
3c. Memory leak vulnerability in VMCI module (CVE-2020-3959)
Description
VMware ESXi, Workstation and Fusion contain a memory leak vulnerability in the
VMCI module. VMware has evaluated the severity of this issue to be in the Low
severity range with a maximum CVSSv3 base score of 3.3.
Known Attack Vectors
A malicious actor with local non-administrative access to a virtual machine may
be able to crash the virtual machine's vmx process leading to a partial denial
of service.
Resolution
To remediate CVE-2020-3959 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Tianwen Tang(VictorV) of Qihoo 360Vulcan Team
working with 360 BugCloud for reporting this issue to us.
Notes
None.
Response Matrix
Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional
On Identifier Documentation
ESXi 7.0 Any CVE-2020-3959 N/A N/A Unaffected N/A N/A
ESXi 6.7 Any CVE-2020-3959 3.3 low ESXi670-202004101-SG None None
ESXi 6.5 Any CVE-2020-3959 3.3 low ESXi650-202005401-SG None None
Workstation 15.x Any CVE-2020-3959 3.3 moderate 15.1.0 None None
Fusion 11.x OS X CVE-2020-3959 3.3 low 11.1.0 None None
4. References
Fixed Version(s) and Release Notes:
VMware ESXi 6.7 ESXi670-202004101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202004002.html
VMware ESXi 6.5 ESXi650-202005401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202005001.html
VMware Workstation Pro 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.5 (Latest)
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware Horizon Client for Mac 5.4.3
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/
desktop_end_user_computing/vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html
VMware Remote Console for Mac 11.2.0
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VMRC1120&
productId=974
https://docs.vmware.com/en/VMware-Remote-Console/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3959
FIRST CVSSv3 Calculator:
CVE-2020-3957-
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/
I:H/A:L
CVE-2020-3958-
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/
I:N/A:L
CVE-2020-3959 -
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/
I:N/A:L
5. Change Log
2020-05-28: VMSA-2020-0011 - Initial security advisory.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXwwFFuNLKJtyKPYoAQh7Fg//YXxncnLKiffDet45ul43O5zuEQAIHSmr
hnrJykectMCABO/lZES5JYWVVtLMnX3HRaYy3z0DA2tobVwJxbx1VW1bRFbMyGbp
iLxT1OYaPQZgeXjn4nGaAsgy55tr1CnXQ7uNlPmIQPY1K0C3C2bCNt6LNfJmJ0Mw
J4GKsp2cbUDYcmtuQt8dpl+rchbPmLFXL6yjJhPp4TygX/5FaWjTh9zatY+GOy6c
JRbEfkwGVWDor7nDTOP+5eM8lZC9NqNrw3+cHn+Z7HZDALH2qxS3G2IpBno26bgH
CB3OU9oB6BYslhHucxunmXdHFOZvMn8hAn4qA2Qri8dBjaijqkEx5+vvXFGNtFmC
8LFS/zYXdzWU/HntQm/NnJAff3ZAoWB3FMhFsmxv9/2+k+gkI/ke1bmSIe4roLbq
GUdfXCiWQhajkrD7/RGWSe63WIJsBHEuOIeGygoa5FcQhQ8rdlmXEgxjqtDqrGNx
wFdBMuzD+EtSKahflLTv/wJUteRvU+g4AzHZMFDRe4p2/XwcdnfyN3ElEDQqfrHt
kVCtXMiBl47zIUncyxy3SUms6plLz0LTvfwVhyhej93uEaIEuFDMI6IUOP3z/1++
aPvQ1kdmAf+o5jH87lSvN2wj1+cMEGmB2DAIQm6/fGS1teT8FAip3B05gbG/BRrG
JAiiWhBzFSw=
=1uSn
-----END PGP SIGNATURE-----