==================================================================== CERT-Renater Note d'Information No. 2020/VULN310 _____________________________________________________________________ DATE : 29/05/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion Pro / Fusion (Fusion), VMware Remote Console for Mac (VMRC for Mac), VMware Horizon Client for Mac. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2020-0011.html _____________________________________________________________________ VMware Security Advisories Advisory ID VMSA-2020-0011 Advisory Severity Important CVSSv3 Range 3.3-7.3 Synopsis VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3957, CVE-2020-3958, CVE-2020-3959) Issue Date 2020-05-28 Updated On 2020-05-28 (Initial Advisory) CVE(s) CVE-2020-3957, CVE-2020-3958, CVE-2020-3959 1. Impacted Products VMware ESXi VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) VMware Remote Console for Mac (VMRC for Mac) VMware Horizon Client for Mac 2. Introduction Multiple security vulnerabilities in VMware ESXi, Workstation, Fusion, VMRC and Horizon Client were privately reported to VMware. Patches and workarounds are available to remediate or workaround these vulnerabilities in affected VMware products. 3a. Service opener - Time-of-check Time-of-use (TOCTOU) issue (CVE-2020-3957) Description: VMware Fusion, VMRC and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOCTOU) issue in the service opener. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3. Known Attack Vectors: Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC and Horizon Client are installed. Resolution: To remediate CVE-2020-3957 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds: None. Additional Documentations: None. Acknowledgements: VMware would like to thank Rich Mirch of TeamARES from Critical Start Inc. and Jeffball of GRIMM for independently reporting this issue to us. Resolution Matrix: Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents Fusion 11.x OS X CVE-2020-39577.3 Important 11.5.5 None None VMRC for Mac 11.x and prior OS X CVE-2020-3957 7.3 Important Patch Pending None None Horizon Client for Mac 5.x and prior OS X CVE-2020-3957 7.3 Important Patch Pending None None 3b. Denial-of-service vulnerability in Shader functionality (CVE-2020-3958) Description: VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.0. Known Attack Vectors: Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. Successful exploitation of this issue may allow attackers with non- administrative access to a virtual machine to crash the virtual machine's vmx process leading to a denial of service condition. Resolution: To remediate CVE-2020-3958 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds: Workarounds for CVE-2020-3958 have been been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentations: None. Acknowledgements: VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us. Notes: None. Resolution Matrix: Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents ESXi 7.0 Any CVE-2020-3958 N/A N/A Unaffected N/A N/A ESXi 6.7 Any CVE-2020-3958 4.0 Moderate ESXi670-202004101-SG See Item 34 None ESXi 6.5 Any CVE-2020-3958 4.0 Moderate ESXi650-202005401-SG See Item 34 None Workstation 15.x Any CVE-2020-3958 4.0 Moderate 15.5.2 KB59146 None Fusion 11.x OS X CVE-2020-3958 4.0 Moderate 11.5.2 KB59146 None 3c. Memory leak vulnerability in VMCI module (CVE-2020-3959) Description: VMware ESXi, Workstation and Fusion contain a memory leak vulnerability in the VMCI module. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.3. Known Attack Vectors: A malicious actor with local non-administrative access to a virtual machine may be able to crash the virtual machine's vmx process leading to a partial denial of service. Resolution: To remediate CVE-2020-3959 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds: None. Additional Documentations: None. Acknowledgements: VMware would like to thank Tianwen Tang(VictorV) of Qihoo 360Vulcan Team working with 360 BugCloud for reporting this issue to us. Notes: None. Resolution Matrix: Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents ESXi 7.0 Any CVE-2020-3959 N/A N/A Unaffected N/A N/A ESXi 6.7 Any CVE-2020-3959 3.3 Low ESXi670-202004101-SG None None ESXi 6.5 Any CVE-2020-3959 3.3 Low ESXi650-202005401-SG None None Workstation 15.x Any CVE-2020-3959 3.3 Low 15.1.0 None None Fusion 11.x OS X CVE-2020-3959 3.3 Low 11.1.0 None None 4. References Fixed Version(s) and Release Notes: VMware ESXi 6.7 ESXi670-202004101-SG https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202004002.html VMware ESXi 6.5 ESXi650-202005401-SG https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202005001.html VMware Workstation Pro 15.5.2 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 15.5.2 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion 11.5.5 (Latest) Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3958 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3959 FIRST CVSSv3 Calculator: CVE-2020-3957- https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L CVE-2020-3958- https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-3959 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 5. Change log 2020-05-28: VMSA-2020-0011 - Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2020 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================