Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4160
VMSA-2020-0026 - VMware ESXi, Workstation and Fusion updates address
use-after-free and privilege escalation vulnerabilities
24 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation
Publisher: VMWare
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-4005 CVE-2020-4004
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2020-0026.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Critical
Advisory ID: VMSA-2020-0026
CVSSv3 Range: 8.8 - 9.3
Issue Date: 2020-11-19
Updated On: 2020-11-19 (Initial Advisory)
CVE(s): CVE-2020-4004, CVE-2020-4005
Synopsis: VMware ESXi, Workstation and Fusion updates address use-after-free
and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005)
1. Impacted Products
* VMware ESXi
* VMware Workstation Pro / Player (Workstation)
* VMware Fusion Pro / Fusion (Fusion)
* VMware Cloud Foundation
2. Introduction
Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately
reported to VMware. Updates are available to remediate these vulnerabilities in
affected VMware products.
3a. Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004)
Description
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in
the XHCI USB controller. VMware has evaluated the severity of this issue to be
in the Critical severity range with a maximum CVSSv3 base score of 9.3.
Known Attack Vectors
A malicious actor with local administrative privileges on a virtual machine may
exploit this issue to execute code as the virtual machine's VMX process running
on the host.
Resolution
To remediate CVE-2020-4004 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2020-4004 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360
Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for reporting this
issue to us.
Notes
None.
Response Matrix:
Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional
On Identifier Documentation
Remove XHCI
ESXi 7.0 Any CVE-2020-4004 9.3 critical ESXi70U1b-17168206 (USB 3.x) None
controller
Remove XHCI
ESXi 6.7 Any CVE-2020-4004 9.3 critical ESXi670-202011101-SG (USB 3.x) None
controller
Remove XHCI
ESXi 6.5 Any CVE-2020-4004 9.3 critical ESXi650-202011301-SG (USB 3.x) None
controller
Fusion 12.x OS X CVE-2020-4004 N/A N/A Unaffected N/A N/A
Remove XHCI
Fusion 11.x OS X CVE-2020-4004 9.3 critical 11.5.7 (USB 3.x) None
controller
Workstation 16.x Any CVE-2020-4004 N/A N/A Unaffected N/A N/A
Remove XHCI
Workstation 15.x Any CVE-2020-4004 9.3 critical 15.5.7 (USB 3.x) None
controller
VMware Remove XHCI
Cloud 4.x Any CVE-2020-4004 9.3 critical Patch Pending (USB 3.x) None.
Foundation controller
(ESXi)
VMware Remove XHCI
Cloud 3.x Any CVE-2020-4004 9.3 critical Patch Pending (USB 3.x) None
Foundation controller
(ESXi)
3b. VMX elevation-of-privilege vulnerability (CVE-2020-4005)
Description
VMware ESXi contains a privilege-escalation vulnerability that exists in the
way certain system calls are being managed. VMware has evaluated the severity
of this issue to be in the Important severity range with a maximum CVSSv3 base
score of 8.8.
Known Attack Vectors
A malicious actor with privileges within the VMX process only, may escalate
their privileges on the affected system. Successful exploitation of this issue
is only possible when chained with another vulnerability (e.g. CVE-2020-4004).
Resolution
To remediate CVE-2020-4005 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360
Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for reporting this
issue to us.
Notes
None.
Response Matrix:
Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional
On Identifier Documentation
ESXi 7.0 Any CVE-2020-4005 8.8 important ESXi70U1b-17168206 None None
ESXi 6.7 Any CVE-2020-4005 8.8 important ESXi670-202011101-SG None None
ESXi 6.5 Any CVE-2020-4005 8.8 important ESXi650-202011301-SG None None
VMware
Cloud 4.x Any CVE-2020-4005 8.8 important Patch pending None None
Foundation
(ESXi)
VMware
Cloud 3.x Any CVE-2020-4005 8.8 important Patch Pending None None
Foundation
(ESXi)
4. References
VMware ESXi 7.0 ESXi70U1b-17168206
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1b.html
VMware ESXi 6.7 ESXi670-202011101-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011002.html
VMware ESXi 6.5 ESXi650-202011301-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011002.html
VMware Workstation Pro 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4004
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4005
FIRST CVSSv3 Calculator:
CVE-2020-4004 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-4005 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:C/C:H/I:H/A:H
5. Change Log
2020-11-19 VMSA-2020-0026
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2020 VMware Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX7yODeNLKJtyKPYoAQhhew//XkIp3hGou3TbEx4uqF41lj8JrSIVFFzZ
alMWKj99n3G8PsO5FMbQNzK85nz8vmMEE8uEvZNyGle2KnFmyYu3twYqJm8fI85R
ULXy0LaA6hCegBYL16qj/cSe25P1Te8Ty8xg/a/sa0Qj1Tc1cZ48z86ZORAODOGr
sD2YQK3vpND0DUR0r4rnlzAwfjCeKAoFY2XYdOYafzd5j4Y5Sz061Rb3d+6rjq48
5dMzMLKrGgwW3iIEdZMMSmQNwNPRbNV37KQz3J+JaN9/gQgwH62bfKeMAJssoPbP
+M5I5CGq8FDMimxyrJuupgCIxjS1EtufnWW5LgBZhjNE2HMzv5cH7GGIGIktYXCZ
1TfauzaiZPYHUFhqtfePqoupOPvjPniu9IBZGaqPne2IIjGO8Eg3qNGixkdqvQjO
sDwt4Z7H10p1roqz5AjIEdy0GYBlqsksKtRiZ4VoAee8NzHAn3jcNm+ZWhA8cV5a
b2L88ZZX+lrvguhu7qL53f96qmq8X3m4A1bfFOSLrKxpKwBi9z9ijYesZKWc5CLY
OpfiTxbIhzqMcJ5N6FT0p5kXS+i2gNCu0siPtoiPz0qJWjJJWsSk8MMVLoiwvfJf
N89MlFQ2QHscduWUwSg9fW/8BHXy3CFfQVcKJ6PH2nb6qGqwtOJ2AVz36LXCMh9O
ztE9ilJv+Mw=
=JKNS
-----END PGP SIGNATURE-----