Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3166 VMSA-2020-0020 - VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities 16 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Workstation VMware Fusion VMware Horizon Client for Windows Publisher: VMWare Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-3990 CVE-2020-3989 CVE-2020-3988 CVE-2020-3987 CVE-2020-3986 CVE-2020-3980 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2020-0020.html - --------------------------BEGIN INCLUDED TEXT-------------------- VMSA-2020-0020 - VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities Advisory ID: VMSA-2020-0020 CVSSv3 Range: 3.8-6.7 Issue Date : 2020-09-14 Updated On : 2020-09-14 (Initial Advisory) CVE(s) : CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990 Synopsis : VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990) 1. Impacted Products o VMware Workstation Pro / Player (Workstation) o VMware Fusion Pro / Fusion (Fusion) o VMware Horizon Client for Windows 2. Introduction Multiple vulnerabilities in VMware Workstation, Fusion and Horizon Client were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. PATH configuration privilege escalation vulnerability (CVE-2020-3980) Description VMware Fusion contains a privilege escalation vulnerability due to the way it allows configuring the system wide path. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7. Known Attack Vectors An attacker with normal user privileges may exploit this issue to trick an admin user into executing malicious code on the system where Fusion is installed. Resolution To remediate CVE-2020-3980 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Rich Mirch from TeamARES of Critical Start for reporting this issue to us. Response Matrix Product Version Running CVE CVSSv3 Severity Fixed Workarounds Additional On Identifier Version Documentation Fusion 12.x OS X CVE-2020-3980 6.7 N/A not N/A N/A affected Fusion 11.x OS X CVE-2020-3980 6.7 moderate patch None None pending 3b. Multiple out-of-bounds read vulnerabilities via Cortado ThinPrint (CVE-2020-3986, CVE-2020-3987, CVE-2020-3988) Description VMware Workstation and Horizon Client for Windows contain multiple out-of-bounds read vulnerabilities in Cortado ThinPrint component. These issues exist in the EMF and JPEG2000 parsers. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.2. Known Attack Vectors A malicious actor with normal access to a virtual machine may be able to exploit these issues to create a partial denial-of-service condition or to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed. Resolution To remediate CVE-2020-3986 (EMF parser), CVE-2020-3987 (EMR STRETCHDIBITS parser), and CVE-2020-3988 (JPEG2000 parser) apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank KPC of Trend Micro's Zero Day Initiative and pig working with Trend Micro's Zero Day Initiative for reporting these issues to us. Notes Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Horizon 5.x and CVE-2020-3986, Client for prior Windows CVE-2020-3987, 5.2 moderate 5.4.4 None None Windows CVE-2020-3988 CVE-2020-3986, not Workstation 16.x Any CVE-2020-3987, 5.2 N/A affected N/A N/A CVE-2020-3988 CVE-2020-3986, not Workstation 15.x Linux CVE-2020-3987, 5.2 N/A affected N/A N/A CVE-2020-3988 CVE-2020-3986, patch Workstation 15.x Windows CVE-2020-3987, 5.2 moderate pending None None CVE-2020-3988 3c. Denial-of-service vulnerability via Cortado ThinPrint (CVE-2020-3989) Description VMware Workstation and Horizon Client for Windows contain a denial of service vulnerability due to an out-of-bounds write issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8. Known Attack Vectors A malicious actor with normal access to a virtual machine may be able to exploit this issue to create a partial denial-of-service condition on the system where Workstation or Horizon Client for Windows is installed. Resolution To remediate CVE-2020-3989 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank linhlhq of VinCSS (Member of Vingroup) working with Trend Micro's Zero Day Initiative for reporting this issue to us. Notes Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client. Response Matrix Product Version Running CVE CVSSv3 Severity Fixed Workarounds Additional On Identifier Version Documentation Horizon 5.x and Client for prior Windows CVE-2020-3989 3.8 low 5.4.4 None None Windows Workstation 16.x Any CVE-2020-3989 3.8 N/A not N/A N/A affected Workstation 15.x Linux CVE-2020-3989 3.8 N/A not N/A N/A affected Workstation 15.x Windows CVE-2020-3989 3.8 low patch None None pending 3d. Information disclosure vulnerability via Cortado ThinPrint (CVE-2020-3990) VMware Workstation and Horizon Client for Windows contain an information disclosure vulnerability due to an integer overflow issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8. Known Attack Vectors A malicious actor with normal access to a virtual machine may be able to exploit this issue to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed. Resolution To remediate CVE-2020-3990 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank linhlhq of VinCSS (Member of Vingroup) working with Trend Micro's Zero Day Initiative for reporting this issue to us. Notes Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client. Response Matrix Product Version Running CVE CVSSv3 Severity Fixed Workarounds Additional On Identifier Version Documentation Horizon 5.x and Client for prior Windows CVE-2020-3990 3.8 low 5.4.4 None None Windows Workstation 16.x Any CVE-2020-3990 3.8 N/A not N/A N/A affected Workstation 15.x Linux CVE-2020-3990 3.8 N/A not N/A N/A affected Workstation 15.x Windows CVE-2020-3990 3.8 low patch None None pending 4. References Fixed Version(s) and Release Notes: VMware Workstation Pro 16.0 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 16.0 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion 12.0 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html VMware Horizon Client 5.4.4 Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/info/slug/ desktop_end_user_computing/vmware_horizon_clients/5_0 https://docs.vmware.com/en/VMware-Horizon-Client/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3980 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3986 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3987 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3988 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3989 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3990 FIRST CVSSv3 Calculator: CVE-2020-3980 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/ PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-3986 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:C/C:L/I:N/A:L CVE-2020-3987 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:C/C:L/I:N/A:L CVE-2020-3988 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:C/C:L/I:N/A:L CVE-2020-3989 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-3990 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:C/C:L/I:N/A:N 5. Change Log 2020-09-14: VMSA-2020-0020 - Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitterhttps://twitter.com/VMwareSRC Twitter https://twitter.com/VMwareSRC Copyright 2020 VMware Inc. All rights reserved. VMware Logo Contact Sales Get Support About VMware Careers Thought Leadership (C) 2020 VMware, Inc Terms of Use Your California Privacy Rights Privacy Accessibility Site Map Trademarks Glossary Help - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VMSA-2020-0020 - VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990) Please see the advisory here: https://www.vmware.com/security/advisories/VMSA-2020-0020.html Impacted Products: VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) VMware Horizon Client for Windows You are receiving this alert because you are subscribed to the VMware Security Announcements mailing list. To modify your subscription please visit https://lists.vmware.com/mailman/listinfo/security-announce - -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.4.2 (Build 1298) Charset: utf-8 wj8DBQFfYEQmDEcm8Vbi9kMRAraSAJ0b9u3zQAHuZHXAU1sB3nPiz5zggQCfVMTV tnsejIf2BJTqpJTtUPxksz8= =foeq - -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.vmware.com https://lists.vmware.com/mailman/listinfo/security-announce - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX2FCbeNLKJtyKPYoAQhHwxAAmTR2wVn0FNsctPmWPtVPE4oG8FNuZUMs 6SK5prcVVSNIr99Y67hA6LCI/yl59HDNE41ZUUuc8FrCpc7rIAGmxOfMy0av6Th9 kKOyo6E7+ibWthvK5AWBq/oJ+X1r1LUC6Nv10A7ePHz6T95us+v4WD0nseZhTRbL GnT+Q0Htsj41ruTRUDefBAS2yPBtPrGNFx4/h949RwSijY3JUXGhQeuQ5YeZ4F9d cM3DMFRjtmpOx0FkWJpR9J2G1G6xb+VMxgN4zv3WozHNms3x5dKtfaIrmvjizHYq A96/A0XDTIDRaYIXZHfDVFFbYyqROPxa/hTorTjQf6grFCZYoaKczYtEx0ts1RlQ PlyloVeckg7At3WMMRK5OC+X2m16vxBVgJrDSOopVJSuBZof0x+zLTdti0a4GF1R 8X7LF5RtajUIqESApxgvXZYdJkIyyiE8OoItjQIGscRGdnXY3yWe23d8rF4UqaqS D++DMV9y1rXpvuC0yx5Cgclr7kEwb+hmLwUI8cdfRZGnlTk10ukyAnasxGJnMVcd VsFuFTksOZQh9kwnmhkiYujtbI0wTOv0BWGgcxgniQ7SO0vJBZYH7H+jb1NBBMtT ZHxqV9tfPJB2hG43BFMsQbwxm7Ty3ptcOlGai1zYpX+8o9ut6YhzrPN5+Nv9Z1NF Tso2gdY+WkY= =+6DM -----END PGP SIGNATURE-----