==================================================================== CERT-Renater Note d'Information No. 2020/VULN136 _____________________________________________________________________ DATE : 13/03/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware Workstation versions prior to 15.5.2, VMware Fusion versions prior to 11.5.2, Horizon Client for Windows versions prior to 5.3.0, VMRC for Windows versions prior to 11.0.0, Workstation for Windows versions prior to 15.5.2. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2020-0004.html _____________________________________________________________________ Advisory ID VMSA-2020-0004 Advisory Severity Critical CVSSv3 Range 7.3-9.3 Synopsis VMware Horizon Client, VMRC, VMware Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2019-5543, CVE-2020-3947, CVE-2020-3948) Issue Date 2020-03-12 Updated On 2020-03-12 (Initial Advisory) CVE(s) CVE-2019-5543, CVE-2020-3947 , CVE-2020-3948 1. Impacted Products VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) VMware Horizon Client for Windows VMware Remote Console for Windows (VMRC for Windows) 2. Introduction VMware Horizon Client, VMRC, VMware Workstation and Fusion contain use-after-free and privilege escalation vulnerabilities. Patches are available to remediate these vulnerabilities in affected VMware products. 3a. Use-after-free vulnerability in vmnetdhcp (CVE-2020-3947) Description: VMware Workstation and Fusion contain a use-after vulnerability in vmnetdhcp.VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3. Known Attack Vectors: Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine. Resolution: To remediate CVE-2020-3947, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None. Additional Documentations: None. Acknowledgements: VMware would like to thank Anonymous working with Trend Micro Zero Day Initiative for reporting this issue to us. Resolution Matrix: Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents Workstation 15.x Any CVE-2020-3947 9.3 Critical 15.5.2 None None Fusion 11.x OS X CVE-2020-3947 9.3 Critical 11.5.2 None None 3b. Local Privilege escalation vulnerability in Cortado Thinprint (CVE-2020-3948) Description: Linux Guest VMs running on VMware Workstation and Fusion contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Exploitation is only possible if VMware Tools is installed in the VM. VMware Tools is installed by default on Workstation and Fusion.
 Known Attack Vectors: Local attackers with non-administrative access to a Linux guest VM with VMware Tools installed may exploit this issue to elevate their privileges to root on the same guest VM. Resolution: To remediate CVE-2020-3948, apply the patches listed in the 'FixedVersion' column of the 'Resolution Matrix' found below. Workarounds: None. Additional Documentations: None. Acknowledgements: VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us. Resolution Matrix: Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents Workstation 15.x Any CVE-2020-3948 7.8 Important 15.5.2 None None Fusion 11.x OS X CVE-2020-3948 7.8 Important 11.5.2 None None 3c. VMware Horizon Client, VMRC and Workstation privilege escalation vulnerability (CVE-2019-5543) Description: For VMware Horizon Client for Windows, VMRC for Windows and Workstation for Windows the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3. Known Attack Vectors: A local user on the system where the software is installed may exploit this issue to run commands as any user. Resolution: To remediate CVE-2019-5543 update to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None. Additional Documentations: None. Acknowledgements: VMware would like to thank Lasse Trolle Borup of Danish Cyber Defence for reporting this issue to us. Resolution Matrix: Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents Horizon Client for Windows 5.x and prior Windows CVE-2019-5543 7.3 Important 5.3.0 None None VMRC for Windows 10.x Windows CVE-2019-5543 7.3 Important 11.0.0 None None Workstation for Windows 15.x Windows CVE-2019-5543 7.3 Important 15.5.2 None None 4. References Fixed Version(s) and Release Notes: VMware Workstation Pro 15.5.2 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 15.5.2 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion 11.5.2 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html VMware Horizon Client for Windows 5.3.0 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=CART20FQ4_WIN_530&productId=863 https://docs.vmware.com/en/VMware-Horizon-Client/index.html VMware Remote Console for Windows 11.0.0 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1100&productId=742 https://docs.vmware.com/en/VMware-Remote-Console/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5543 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3947 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3948 FIRST CVSSv3 Calculator: CVE-2019-5543-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-3947-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2020-3948-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 5. Change log 2020-03-12: VMSA-2020-0004 Initial security advisory in conjunction with the release of Workstation 15.5.2 and Fusion 11.5.2. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2020 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================