====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN141
_____________________________________________________________________

DATE                : 18/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Workstation versions prior
                         to 15.5.2,
                      VMware Fusion versions prior to 11.5.2,
                      VMware Remote Console versions prior to 11.0.1,
                      VMware Horizon Client versions prior to 5.4.0.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2020-0005.html
_____________________________________________________________________

VMware Security Advisories

Advisory ID             VMSA-2020-0005
Advisory Severity       Important
CVSSv3 Range            3.2-7.3

Synopsis                VMware Workstation, Fusion, VMware Remote
                        Console and Horizon Client updates address
                        privilege escalation and denial-of-service
                        vulnerabilities (CVE-2020-3950, CVE-2020-3951)
Issue Date              2020-03-17
Updated On              2020-03-17 (Initial Advisory)
CVE(s)                  CVE-2020-3950, CVE-2020-3951


1. Impacted Products

    VMware Workstation Pro / Player (Workstation)
    VMware Fusion Pro / Fusion (Fusion)
    VMware Remote Console for Mac (VMRC for Mac)
    VMware Horizon Client for Mac
    VMware Horizon Client for Windows


2. Introduction

VMware Workstation, Fusion, VMware Remote Console and Horizon Client
updates address privilege escalation and denial-of-service
vulnerabilities. Patches are available to remediate these
vulnerabilities in affected VMware products.


3a. Privilege escalation vulnerability via setuid binaries (CVE-2020-3950 )

Description:

VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a
privilege escalation vulnerability due to improper use of setuid
binaries. VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of 7.3.


Known Attack Vectors:

Successful exploitation of this issue may allow attackers with normal
user privileges to escalate their privileges to root on the system where
Fusion, VMRC or Horizon Client is installed.


Resolution:

To remediate CVE-2020-3950, apply the patches listed in the 'Fixed
Version' column of the 'Resolution Matrix' found below.


Workarounds:

None.


Additional Documentations:

None.


Acknowledgements:

VMware would like to thank Jeffball of GRIMM and Rich Mirch for
independently reporting this issue to us.


Resolution Matrix:
Product 	Version 	Running On 	CVE Identifier 	CVSSV3 	Severity 	Fixed
Version 	Workarounds 	Additional Documents

Fusion 	11.x 	OS X 	CVE-2020-3950	7.3 	Important 	11.5.2 	None 	None

VMRC for Mac 	11.x and prior 	OS X 	CVE-2020-3950 	7.3 	Important
11.0.1 	None 	None

Horizon Client for Mac 	5.x and prior 	OS X 	CVE-2020-3950 	7.3
Important 	5.4.0 	None 	None


3b. Denial of service vulnerability in Cortado Thinprint (CVE-2020-3951)

Description:

VMware Workstation and Horizon Client for Windows contain a
denial-of-service vulnerability due to a heap-overflow issue in Cortado
Thinprint. VMware has evaluated the severity of this issue to be in the
Low severity range with a maximum CVSSv3 base score of 3.2.


Known Attack Vectors:

Attackers with non-administrative access to a guest VM with virtual
printing enabled may exploit this issue to create a denial-of-service
condition of the Thinprint service running on the system where
Workstation or Horizon Client is installed.


Resolution:

To remediate CVE-2020-3951, apply the patches listed in the 'Fixed
Version' column of the 'Resolution Matrix' found below.


Workarounds:

None.


Additional Documentations:

None.



Acknowledgements:

VMware would like to thank Dhanesh Kizhakkinan of FireEye Inc. for
reporting this issue to us.


Notes:

Exploitation is only possible if virtual printing has been enabled. This
feature is not enabled by default on Workstation but it is enabled by
default on Horizon Client.


Resolution Matrix:

Product 	Version 	Running On 	CVE Identifier 	CVSSV3 	Severity 	Fixed
Version 	Workarounds 	Additional Documents

Workstation   	15.x 	Windows 	CVE-2020-3951 	3.2 	Low 	15.5.2 	None 	None

Workstation   	15.x 	Linux 	CVE-2020-3951 	N/A 	N/A 	Not affected	N/A 	N/A

Horizon Client for Windows 	5.x and prior 	Windows 	CVE-2020-3951
3.2 	Low	5.4.0 	None	None


4. References


Fixed Version(s) and Release Notes:


VMware Workstation Pro 15.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html


VMware Workstation Player 15.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html


VMware Fusion 11.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html


VMware Horizon Client 5.4.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html


VMware Remote Console for Windows 11.0.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1101&productId=742
https://docs.vmware.com/en/VMware-Remote-Console/index.html


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3950
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3951


FIRST CVSSv3 Calculator:

CVE-2020-3950-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVE-2020-3951-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L



5. Change log


2020-03-17: VMSA-2020-0005

Initial security advisory in conjunction with the release of VMware
Remote Console 11.0.1 and Horizon Client 5.4.0.



6. Contact


E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce



This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com
  bugtraq@securityfocus.com
  fulldisclosure@seclists.org


E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter

https://twitter.com/VMwareSRC



Copyright 2020 VMware Inc. All rights reserved.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================