-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3166
          VMSA-2020-0020 - VMware Workstation, Fusion and Horizon
         Client updates address multiple security vulnerabilities
                             16 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware Workstation
                   VMware Fusion
                   VMware Horizon Client for Windows
Publisher:         VMWare
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3990 CVE-2020-3989 CVE-2020-3988
                   CVE-2020-3987 CVE-2020-3986 CVE-2020-3980

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2020-0020.html

- --------------------------BEGIN INCLUDED TEXT--------------------

VMSA-2020-0020 - VMware Workstation, Fusion and Horizon Client updates
address multiple security vulnerabilities

Advisory ID: VMSA-2020-0020
CVSSv3 Range: 3.8-6.7
Issue Date  : 2020-09-14
Updated On  : 2020-09-14 (Initial Advisory)
CVE(s)      : CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988,
              CVE-2020-3989, CVE-2020-3990
Synopsis    : VMware Workstation, Fusion and Horizon Client updates address
multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987,
CVE-2020-3988, CVE-2020-3989, CVE-2020-3990)

1. Impacted Products

  o VMware Workstation Pro / Player (Workstation)
  o VMware Fusion Pro / Fusion (Fusion)
  o VMware Horizon Client for Windows

2. Introduction

Multiple vulnerabilities in VMware Workstation, Fusion and Horizon Client were
privately reported to VMware. Updates are available to remediate these
vulnerabilities in affected VMware products. 

3a. PATH configuration privilege escalation vulnerability (CVE-2020-3980)

Description

VMware Fusion contains a privilege escalation vulnerability due to the way it
allows configuring the system wide path. VMware has evaluated the severity of
this issue to be in the Moderate severity range with a maximum CVSSv3 base
score of 6.7.

Known Attack Vectors

An attacker with normal user privileges may exploit this issue to trick an
admin user into executing malicious code on the system where Fusion is
installed.

Resolution

To remediate CVE-2020-3980 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Rich Mirch from TeamARES of Critical Start for
reporting this issue to us.

Response Matrix

Product Version Running CVE           CVSSv3 Severity Fixed    Workarounds Additional
                On      Identifier                    Version              Documentation
Fusion  12.x    OS X    CVE-2020-3980 6.7    N/A      not      N/A         N/A
                                                      affected
Fusion  11.x    OS X    CVE-2020-3980 6.7    moderate patch    None        None
                                                      pending

3b. Multiple out-of-bounds read vulnerabilities via Cortado ThinPrint
(CVE-2020-3986, CVE-2020-3987, CVE-2020-3988)

Description

VMware Workstation and Horizon Client for Windows contain multiple
out-of-bounds read vulnerabilities in Cortado ThinPrint component. These issues
exist in the EMF and JPEG2000 parsers. VMware has evaluated the severity of
these issues to be in the Moderate severity range with a maximum CVSSv3 base
score of 5.2.

Known Attack Vectors

A malicious actor with normal access to a virtual machine may be able to
exploit these issues to create a partial denial-of-service condition or to leak
memory from TPView process running on the system where Workstation or Horizon
Client for Windows is installed.

Resolution

To remediate CVE-2020-3986 (EMF parser),  CVE-2020-3987 (EMR STRETCHDIBITS
parser), and CVE-2020-3988 (JPEG2000 parser) apply the patches listed in the
'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank KPC of Trend Micro's Zero Day Initiative and
pig working with Trend Micro's Zero Day Initiative for reporting these issues
to us.

Notes

Exploitation is only possible if virtual printing has been enabled. This
feature is not enabled by default on Workstation but it is enabled by default
on Horizon Client. 

Response Matrix

Product     Version Running CVE Identifier CVSSv3 Severity Fixed    Workarounds Additional
                    On                                     Version              Documentation
Horizon     5.x and         CVE-2020-3986,
Client for  prior   Windows CVE-2020-3987, 5.2    moderate 5.4.4    None        None
Windows                     CVE-2020-3988
                            CVE-2020-3986,                 not
Workstation 16.x    Any     CVE-2020-3987, 5.2    N/A      affected N/A         N/A
                            CVE-2020-3988
                            CVE-2020-3986,                 not
Workstation 15.x    Linux   CVE-2020-3987, 5.2    N/A      affected N/A         N/A
                            CVE-2020-3988
                            CVE-2020-3986,                 patch
Workstation 15.x    Windows CVE-2020-3987, 5.2    moderate pending  None        None
                            CVE-2020-3988

3c. Denial-of-service vulnerability via Cortado ThinPrint (CVE-2020-3989)

Description

VMware Workstation and Horizon Client for Windows contain a denial of service
vulnerability due to an out-of-bounds write issue in Cortado ThinPrint
component. VMware has evaluated the severity of this issue to be in the Low
severity range with a maximum CVSSv3 base score of 3.8.

Known Attack Vectors

A malicious actor with normal access to a virtual machine may be able to
exploit this issue to create a partial denial-of-service condition on the
system where Workstation or Horizon Client for Windows is installed.

Resolution

To remediate CVE-2020-3989 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank linhlhq of VinCSS (Member of Vingroup) working with
Trend Micro's Zero Day Initiative for reporting this issue to us.

Notes

Exploitation is only possible if virtual printing has been enabled. This
feature is not enabled by default on Workstation but it is enabled by default
on Horizon Client. 

Response Matrix

Product     Version Running CVE           CVSSv3 Severity Fixed    Workarounds Additional
                    On      Identifier                    Version              Documentation
Horizon     5.x and
Client for  prior   Windows CVE-2020-3989 3.8    low      5.4.4    None        None
Windows
Workstation 16.x    Any     CVE-2020-3989 3.8    N/A      not      N/A         N/A
                                                          affected
Workstation 15.x    Linux   CVE-2020-3989 3.8    N/A      not      N/A         N/A
                                                          affected
Workstation 15.x    Windows CVE-2020-3989 3.8    low      patch    None        None
                                                          pending

3d. Information disclosure vulnerability via Cortado ThinPrint (CVE-2020-3990)

VMware Workstation and Horizon Client for Windows contain an information
disclosure vulnerability due to an integer overflow issue in Cortado ThinPrint
component. VMware has evaluated the severity of this issue to be in the Low
severity range with a maximum CVSSv3 base score of 3.8.

Known Attack Vectors

A malicious actor with normal access to a virtual machine may be able to
exploit this issue to leak memory from TPView process running on the system
where Workstation or Horizon Client for Windows is installed.

Resolution

To remediate CVE-2020-3990 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank linhlhq of VinCSS (Member of Vingroup) working with
Trend Micro's Zero Day Initiative for reporting this issue to us.

Notes

Exploitation is only possible if virtual printing has been enabled. This
feature is not enabled by default on Workstation but it is enabled by default
on Horizon Client. 

Response Matrix

Product     Version Running CVE           CVSSv3 Severity Fixed    Workarounds Additional
                    On      Identifier                    Version              Documentation
Horizon     5.x and
Client for  prior   Windows CVE-2020-3990 3.8    low      5.4.4    None        None
Windows
Workstation 16.x    Any     CVE-2020-3990 3.8    N/A      not      N/A         N/A
                                                          affected
Workstation 15.x    Linux   CVE-2020-3990 3.8    N/A      not      N/A         N/A
                                                          affected
Workstation 15.x    Windows CVE-2020-3990 3.8    low      patch    None        None
                                                          pending

4. References

Fixed Version(s) and Release Notes:

 

VMware Workstation Pro 16.0 
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

 

VMware Workstation Player 16.0 
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

 

VMware Fusion 12.0 
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

 

VMware Horizon Client 5.4.4
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/
desktop_end_user_computing/vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3986
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3987
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3989
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3990

 

FIRST CVSSv3 Calculator:

CVE-2020-3980 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/
PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2020-3986 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:C/C:L/I:N/A:L
CVE-2020-3987 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:C/C:L/I:N/A:L
CVE-2020-3988 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:C/C:L/I:N/A:L
CVE-2020-3989 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:C/C:N/I:N/A:L
CVE-2020-3990 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:C/C:L/I:N/A:N

5. Change Log

2020-09-14: VMSA-2020-0020 - Initial security advisory.

 

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog

https://blogs.vmware.com/security Twitterhttps://twitter.com/VMwareSRC

 

Twitter

https://twitter.com/VMwareSRC


Copyright 2020 VMware Inc. All rights reserved.

VMware Logo
Contact Sales Get Support About VMware Careers Thought Leadership
(C) 2020 VMware, Inc Terms of Use Your California Privacy Rights Privacy
Accessibility Site Map Trademarks Glossary Help



















- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

VMSA-2020-0020 - VMware Workstation, Fusion and Horizon Client updates
address multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986,
CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990)

Please see the advisory here: 
https://www.vmware.com/security/advisories/VMSA-2020-0020.html

Impacted Products:

VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows

You are receiving this alert because you are subscribed to the VMware 
Security Announcements mailing list. To modify your subscription please 
visit https://lists.vmware.com/mailman/listinfo/security-announce

- -----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.2 (Build 1298)
Charset: utf-8

wj8DBQFfYEQmDEcm8Vbi9kMRAraSAJ0b9u3zQAHuZHXAU1sB3nPiz5zggQCfVMTV
tnsejIf2BJTqpJTtUPxksz8=
=foeq
- -----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
https://lists.vmware.com/mailman/listinfo/security-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX2FCbeNLKJtyKPYoAQhHwxAAmTR2wVn0FNsctPmWPtVPE4oG8FNuZUMs
6SK5prcVVSNIr99Y67hA6LCI/yl59HDNE41ZUUuc8FrCpc7rIAGmxOfMy0av6Th9
kKOyo6E7+ibWthvK5AWBq/oJ+X1r1LUC6Nv10A7ePHz6T95us+v4WD0nseZhTRbL
GnT+Q0Htsj41ruTRUDefBAS2yPBtPrGNFx4/h949RwSijY3JUXGhQeuQ5YeZ4F9d
cM3DMFRjtmpOx0FkWJpR9J2G1G6xb+VMxgN4zv3WozHNms3x5dKtfaIrmvjizHYq
A96/A0XDTIDRaYIXZHfDVFFbYyqROPxa/hTorTjQf6grFCZYoaKczYtEx0ts1RlQ
PlyloVeckg7At3WMMRK5OC+X2m16vxBVgJrDSOopVJSuBZof0x+zLTdti0a4GF1R
8X7LF5RtajUIqESApxgvXZYdJkIyyiE8OoItjQIGscRGdnXY3yWe23d8rF4UqaqS
D++DMV9y1rXpvuC0yx5Cgclr7kEwb+hmLwUI8cdfRZGnlTk10ukyAnasxGJnMVcd
VsFuFTksOZQh9kwnmhkiYujtbI0wTOv0BWGgcxgniQ7SO0vJBZYH7H+jb1NBBMtT
ZHxqV9tfPJB2hG43BFMsQbwxm7Ty3ptcOlGai1zYpX+8o9ut6YhzrPN5+Nv9Z1NF
Tso2gdY+WkY=
=+6DM
-----END PGP SIGNATURE-----