==================================================================== CERT-Renater Note d'Information No. 2020/VULN580 _____________________________________________________________________ DATE : 20/10/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware ESXi, VMware Workstation, VMware Player, VMware Fusion, VMware NSX-T VMware Cloud Foundation. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2020-0023.html _____________________________________________________________________ Critical Advisory ID: VMSA-2020-0023 CVSSv3 Range: 5.9 - 9.8 Issue Date: 2020-10-20 Updated On: 2020-10-20 (Initial Advisory) CVE(s): CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995 Synopsis: VMware ESXi, Workstation, Fusion and NSX-T updates address multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995) 1. Impacted Products VMware ESXi VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) NSX-T VMware Cloud Foundation 2. Introduction Multiple vulnerabilities in VMware ESXi, Workstation, Fusion and NSX-T were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992) Description OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Known Attack Vectors A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. Resolution To remediate CVE-2020-3992 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2020-3992 have been been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Acknowledgements VMware would like to thank Lucas Leong (@_wmliang_) of Trend Micro's Zero Day Initiative for reporting this issue to us. Notes None. Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation ESXi 7.0 Any CVE-2020-3992 9.8 critical ESXi_7.0.1-0.0.16850804 KB76372 None ESXi 6.7 Any CVE-2020-3992 9.8 critical ESXi670-202010401-SG KB76372 None ESXi 6.5 Any CVE-2020-3992 9.8 critical ESXi650-202010401-SG KB76372 None VMware Cloud Foundation (ESXi) 4.x Any CVE-2020-3992 9.8 critical 4.1 KB76372 None. VMware Cloud Foundation (ESXi) 3.x Any CVE-2020-3992 9.8 critical 3.10.1.1 KB76372 None 3b. NSX-T MITM vulnerability (CVE-2020-3993) Description VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node. Resolution To remediate CVE-2020-3993 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Kevin Kelpen of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us. Notes None. Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation NSX-T 3.x Any CVE-2020-3993 7.5 important 3.0.2 None None NSX-T 2.5.x Any CVE-2020-3993 7.5 important 2.5.2.2.0 None None VMware Cloud Foundation (NSX-T) 4.x Any CVE-2020-3993 7.5 important 4.1 None None. VMware Cloud Foundation (NSX-T) 3.x Any CVE-2020-3993 7.5 important 3.10.1.1 None. None 3c. TOCTOU out-of-bounds read vulnerability (CVE-2020-3981) Description VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1. Known Attack Vectors A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process. Resolution To remediate CVE-2020-3981 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Reno Robert working with Trend Micro's Zero Day Initiative for reporting this issue to us. Notes None. Response Matrix: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation ESXi 7.0 Any CVE-2020-3981 7.1 important ESXi_7.0.1-0.0.16850804 None. None ESXi 6.7 Any CVE-2020-3981 7.1 important ESXi670-202008101-SG None None ESXi 6.5 Any CVE-2020-3981 7.1 important ESXi650-202007101-SG None None Fusion 12.x OS X CVE-2020-3981 N/A N/A Unaffected N/A N/A Fusion 11.x OS X CVE-2020-3981 7.1 important 11.5.6 None None Workstation 16.x Any CVE-2020-3981 N/A N/A Unaffected N/A N/A Workstation 15.x Any CVE-2020-3981 7.1 important Patch pending None None VMware Cloud Foundation (ESXi) 4.x Any CVE-2020-3981 7.1 important 4.1 None None. VMware Cloud Foundation (ESXi) 3.x Any CVE-2020-3981 7.1 important 3.10.1 None None 3d. TOCTOU out-of-bounds write vulnerability (CVE-2020-3982) Description VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. Known Attack Vectors A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine's vmx process or corrupt hypervisor's memory heap. Resolution To remediate CVE-2020-3982 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Reno Robert working with Trend Micro's Zero Day Initiative for reporting this issue to us. Notes None. Response Matrix: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation ESXi 7.0 Any CVE-2020-3982 5.9 moderate ESXi_7.0.1-0.0.16850804 None. None ESXi 6.7 Any CVE-2020-3982 5.9 moderate ESXi670-202008101-SG None None ESXi 6.5 Any CVE-2020-3982 5.9 moderate ESXi650-202007101-SG None None Fusion 12.x OS X CVE-2020-3982 N/A N/A Unaffected N/A N/A Fusion 11.x OS X CVE-2020-3982 5.9 moderate 11.5.6 None None Workstation 16.x Any CVE-2020-3982 N/A N/A Unaffected N/A N/A Workstation 15.x Any CVE-2020-3982 5.9 moderate Patch pending None None VMware Cloud Foundation (ESXi) 4.x Any CVE-2020-3982 5.9 moderate 4.1 None None. VMware Cloud Foundation (ESXi) 3.x Any CVE-2020-3982 5.9 moderate 3.10.1 None None 3e. vCenter Server session hijack vulnerability in update function (CVE-2020-3994) Description VMware vCenter Server contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates. Resolution To remediate CVE-2020-3994 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Thorsten Tüllmann, Karlsruhe Institute of Technology, for reporting this issue to us. Notes None. Response Matrix: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation vCenter Server 7.0 Any CVE-2020-3994 N/A N/A Unaffected N/A N/A vCenter Server 6.7 Virtual Appliance CVE-2020-3994 7.5 important 6.7 U3 None None vCenter Server 6.7 Windows CVE-2020-3994 N/A N/A Unaffected N/A N/A vCenter Server 6.5 Virtual Appliance CVE-2020-3994 7.5 important 6.5 U3K None None vCenter Server 6.5 Windows CVE-2020-3994 N/A N/A Unaffected N/A N/A VMware Cloud Foundation (vCenter Server) 4.x Any CVE-2020-3994 N/A N/A Unaffected N/A N/A VMware Cloud Foundation (vCenter Server) 3.x Any CVE-2020-3994 7.5 important 3.9.0 None None 3f. VMCI host driver memory leak vulnerability (CVE-2020-3995) Description The VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1. Known Attack Vectors A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time. Resolution To remediate CVE-2020-3995 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Tianwen Tang (VictorV) for reporting this issue to us. Notes None. Response Matrix: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation ESXi 7.0 Any CVE-2020-3995 N/A N/A Unaffected N/A N/A ESXi 6.7 Any CVE-2020-3995 7.1 important ESXi670-201908101-SG None None ESXi 6.5 Any CVE-2020-3995 7.1 important ESXi650-202007101-SG None None Fusion 11.x OS X CVE-2020-3995 7.1 important 11.1.0 None None Workstation 15.x Any CVE-2020-3995 7.1 important 15.1.0 None None VMware Cloud Foundation (ESXi) 4.x Any CVE-2020-3995 N/A N/A Unaffected N/A N/A VMware Cloud Foundation (ESXi) 3.x Any CVE-2020-3995 7.1 important 3.9.0 None None 4. References VMware ESXi 7.0 ESXi_7.0.1-0.0.16850804 Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-701-release-notes.html VMware ESXi 6.7 ESXi670-202010401-SG Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202010001.html VMware ESXi 6.5 ESXi650-202010401-SG Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202010001.html VMware Workstation Pro 15.5.6 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 15.5.6 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion 11.5.6 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html VMware NSX-T 3.0.2 Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-302&productId=982&rPId=52624 https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html VMware NSX-T 2.5.2.2.0 Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-2522&productId=673&rPId=53876 https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html VMware vCenter Server 6.7u3 Downloads and Documentation: https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC67U3&productId=742&rPId=52126 VMware vCenter Server 6.5u3k Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K&productId=614&rPId=50173 VMware vCloud Foundation 4.1 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html VMware vCloud Foundation 3.10.1.1 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.1 VMware vCloud Foundation 3.9 Downloads and Documentation: https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VCF390&productId=945&rPId=41516 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3981 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3982 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3992 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3993 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3994 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3995 FIRST CVSSv3 Calculator: CVE-2020-3981 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2020-3982 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2020-3992 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-3993 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-3994 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-3995 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 5. Change Log 2020-10-20 VMSA-2020-0023 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2020 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================