==================================================================== CERT-Renater Note d'Information No. 2020/VULN512 _____________________________________________________________________ DATE : 15/09/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Vmware Workstation, Vmware Fusion, Vmware Horizon Client for Windows versions prior to 5.4.4. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2020-0020.html _____________________________________________________________________ Moderate Advisory ID: VMSA-2020-0020 CVSSv3 Range: 3.8-6.7 Issue Date: 2020-09-14 Updated On: 2020-09-14 (Initial Advisory) CVE(s): CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990 Synopsis: VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990) 1. Impacted Products VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) VMware Horizon Client for Windows 2. Introduction Multiple vulnerabilities in VMware Workstation, Fusion and Horizon Client were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. PATH configuration privilege escalation vulnerability (CVE-2020-3980) Description VMware Fusion contains a privilege escalation vulnerability due to the way it allows configuring the system wide path. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7. Known Attack Vectors An attacker with normal user privileges may exploit this issue to trick an admin user into executing malicious code on the system where Fusion is installed. Resolution To remediate CVE-2020-3980 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Rich Mirch from TeamARES of Critical Start for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Fusion 12.x OS X CVE-2020-3980 6.7 N/A not affected N/A N/A Fusion 11.x OS X CVE-2020-3980 6.7 moderate patch pending None None 3b. Multiple out-of-bounds read vulnerabilities via Cortado ThinPrint (CVE-2020-3986, CVE-2020-3987, CVE-2020-3988) Description VMware Workstation and Horizon Client for Windows contain multiple out-of-bounds read vulnerabilities in Cortado ThinPrint component. These issues exist in the EMF and JPEG2000 parsers. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.2. Known Attack Vectors A malicious actor with normal access to a virtual machine may be able to exploit these issues to create a partial denial-of-service condition or to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed. Resolution To remediate CVE-2020-3986 (EMF parser), CVE-2020-3987 (EMR STRETCHDIBITS parser), and CVE-2020-3988 (JPEG2000 parser) apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank KPC of Trend Micro's Zero Day Initiative and pig working with Trend Micro's Zero Day Initiative for reporting these issues to us. Notes Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Horizon Client for Windows 5.x and prior Windows CVE-2020-3986, CVE-2020-3987, CVE-2020-3988 5.2 moderate 5.4.4 None None Workstation 16.x Any CVE-2020-3986, CVE-2020-3987, CVE-2020-3988 5.2 N/A not affected N/A N/A Workstation 15.x Linux CVE-2020-3986, CVE-2020-3987, CVE-2020-3988 5.2 N/A not affected N/A N/A Workstation 15.x Windows CVE-2020-3986, CVE-2020-3987, CVE-2020-3988 5.2 moderate patch pending None None 3c. Denial-of-service vulnerability via Cortado ThinPrint (CVE-2020-3989) Description VMware Workstation and Horizon Client for Windows contain a denial of service vulnerability due to an out-of-bounds write issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8. Known Attack Vectors A malicious actor with normal access to a virtual machine may be able to exploit this issue to create a partial denial-of-service condition on the system where Workstation or Horizon Client for Windows is installed. Resolution To remediate CVE-2020-3989 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank linhlhq of VinCSS (Member of Vingroup) working with Trend Micro's Zero Day Initiative for reporting this issue to us. Notes Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Horizon Client for Windows 5.x and prior Windows CVE-2020-3989 3.8 low 5.4.4 None None Workstation 16.x Any CVE-2020-3989 3.8 N/A not affected N/A N/A Workstation 15.x Linux CVE-2020-3989 3.8 N/A not affected N/A N/A Workstation 15.x Windows CVE-2020-3989 3.8 low patch pending None None 3d. Information disclosure vulnerability via Cortado ThinPrint (CVE-2020-3990) VMware Workstation and Horizon Client for Windows contain an information disclosure vulnerability due to an integer overflow issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8. Known Attack Vectors A malicious actor with normal access to a virtual machine may be able to exploit this issue to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed. Resolution To remediate CVE-2020-3990 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank linhlhq of VinCSS (Member of Vingroup) working with Trend Micro's Zero Day Initiative for reporting this issue to us. Notes Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Horizon Client for Windows 5.x and prior Windows CVE-2020-3990 3.8 low 5.4.4 None None Workstation 16.x Any CVE-2020-3990 3.8 N/A not affected N/A N/A Workstation 15.x Linux CVE-2020-3990 3.8 N/A not affected N/A N/A Workstation 15.x Windows CVE-2020-3990 3.8 low patch pending None None 4. References Fixed Version(s) and Release Notes: VMware Workstation Pro 16.0 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 16.0 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion 12.0 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html VMware Horizon Client 5.4.4 Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_horizon_clients/5_0 https://docs.vmware.com/en/VMware-Horizon-Client/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3980 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3986 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3987 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3988 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3989 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3990 FIRST CVSSv3 Calculator: CVE-2020-3980 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-3986 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L CVE-2020-3987 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L CVE-2020-3988 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L CVE-2020-3989 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-3990 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 5. Change Log 2020-09-14: VMSA-2020-0020 - Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitterhttps://twitter.com/VMwareSRC Twitter https://twitter.com/VMwareSRC Copyright 2020 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================