====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN333
_____________________________________________________________________

DATE                : 11/06/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows running VMware Horizon Client versions
                                     prior to 5.4.3.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2020-0013.html
_____________________________________________________________________

Advisory ID: VMSA-2020-0013
CVSSv3 Range: 8.4
Issue Date: 2020-06-09
Updated On: 2020-06-09 (Initial Advisory)
CVE(s): CVE-2020-3961
Synopsis: VMware Horizon Client for Windows update addresses privilege
escalation vulnerability (CVE-2020-3961)

1. Impacted Products

  o VMware Horizon Client for Windows

2. Introduction

A privilege escalation vulnerability affecting VMware Horizon Client for
Windows was privately reported to VMware. Updates are available to
address this vulnerability in affected VMware products.


3. VMware Horizon Client for Windows privilege escalation vulnerability

Description

VMware Horizon Client for Windows contains a privilege escalation
vulnerability due to folder permission configuration and unsafe loading
of libraries. VMware has evaluated the severity of this issue to be in
the Important severity range  with a maximum CVSSv3 base score of 8.4.


Known Attack Vendors

A local user on the system where the software is installed may exploit
this issue to run commands as any user.


Resolution

To remediate CVE-2020-3961 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' below.


Workarounds

None.


Additional Documentation

None.


Notes

None.


Acknowledgements

VMware would like to thank Nuttakorn Tungpoonsup and Ammarit Thongthua
of Secure D Center Research Team, Secure D Center Co.,Ltd. and
Cybersecurity Researcher, Sittikorn Sangrattanapitak for reporting this
issue to us.


Response Matrix

Product Version Running CVE           CVSSv3 Severity  Fixed
Workarounds Additional     On      Identifier      Version
Documentation

Horizon Client  5.x and     Windows CVE-2020-3961 8.4    important 5.4.3

for             prior                            None        None
Windows



4. References

Fixed Version(s) and Release Notes:

VMware Horizon Client 5.4.3
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/
vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3961


FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/
I:H/A:N


5. Change Log

2020-06-09 VMSA-2020-0013
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================