====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN326
_____________________________________________________________________

DATE                : 09/06/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware ESXi versions prior to
                        ESXi670-202006401-SG, ESXi650-202005401-SG,
                     VMware Workstation versions prior to 15.5.5,
                     VMware Fusion versions prior to 11.5.5.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2020-0012.html
_____________________________________________________________________


Advisory ID:  VMSA-2020-0012
CVSSv3 Range:  7.1
Issue Date:    2020-06-09
Updated On:    2020-06-09 (Initial Advisory)
CVE(s):        CVE-2020-3960

Synopsis:
VMware ESXi, Workstation and Fusion updates address out-of-bounds read
vulnerability (CVE-2020-3960)


1. Impacted Products

    VMware vSphere ESXi (ESXi)
    VMware Workstation Pro / Player (Workstation)
    VMware Fusion Pro / Fusion (Fusion)


2. Introduction

An out-of-bounds read vulnerability affecting VMware hypervisors was
privately reported to VMware. Updates are available to address this
vulnerability in affected VMware products.


3. VMware ESXi, Workstation and Fusion out-of-bounds read vulnerability
(CVE-2020-3960)


Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds read
vulnerability in NVMe functionality. VMware has evaluated the severity
of this issue to be in the Important severity range with a maximum
CVSSv3 base score of 7.1.

Known Attack Vendors

A malicious actor with local non-administrative access to a virtual
machine may be able to read privileged information contained in memory.


Resolution

To remediate CVE-2020-3960 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' below to affected ARC
deployments.


Workarounds

None.


Additional Documentation

None.


Notes

None.


Acknowledgements

VMware would like to thank Cfir Cohen of Google Cloud security for
reporting this issue to us.

Response Matrix


Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

ESXi     7.0     Any    CVE-2020-3960    N/A    N/A     Unaffected
	N/A    N/A

ESXi     6.7     Any    CVE-2020-3960    7.1    important    	
ESXi670-202006401-SG    None    None

ESXi     6.5     Any    CVE-2020-3960    7.1    important
	ESXi650-202005401-SG    None    None

Workstation     15.x    Any    CVE-2020-3960    7.1    important
	15.5.5     None      None

Fusion     11.x      Any      CVE-2020-3960    7.1     important
	11.5.5     None     None


4. References

ESXi 6.7 Patch ESXi670-202006401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/ESXi670-202006401-SG.html


ESXi 6.5 Patch ESXi650-202005401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/ESXi650-202005401-SG.html


VMware Workstation Pro 15.5.5
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html


VMware Fusion 11.5.5
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3960


FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N


5. Change Log

2020-06-09 VMSA-2020-0012
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com


E-mail:
security@vmware.com


PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories:
https://www.vmware.com/security/advisories


VMware Security Response Policy:
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases:
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog:
https://blogs.vmware.com/security


Twitter:
https://twitter.com/VMwareSRC



Copyright 2020 VMware Inc. All rights reserved.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================