====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN637
_____________________________________________________________________

DATE                : 24/11/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware ESXi, VMware Workstation,
                                   VMware Fusion.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2020-0026.html
_____________________________________________________________________

Critical

Advisory ID:      VMSA-2020-0026
CVSSv3 Range:     8.8 - 9.3
Issue Date:       2020-11-19
Updated On:       2020-11-19 (Initial Advisory)
CVE(s):           CVE-2020-4004, CVE-2020-4005
Synopsis:         VMware ESXi, Workstation and Fusion updates address
                  use-after-free and privilege escalation
                  vulnerabilities (CVE-2020-4004, CVE-2020-4005)


1. Impacted Products

    VMware ESXi
    VMware Workstation Pro / Player (Workstation)
    VMware Fusion Pro / Fusion (Fusion)
    VMware Cloud Foundation


2. Introduction


Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were
privately reported to VMware. Updates are available to remediate these
vulnerabilities in affected VMware products.


3a. Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004)

Description

VMware ESXi, Workstation, and Fusion contain a use-after-free
vulnerability in the XHCI USB controller. VMware has evaluated the
severity of this issue to be in the Critical severity range with a
maximum CVSSv3 base score of 9.3.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual
machine may exploit this issue to execute code as the virtual machine's
VMX process running on the host.

Resolution

To remediate CVE-2020-4004 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' found below.


Workarounds

Workarounds for CVE-2020-4004 have been listed in the 'Workarounds'
column of the 'Response Matrix' below.


Additional Documentation

None.


Acknowledgements

VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo
360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for
reporting this issue to us.


Notes
None.


Response Matrix:

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

ESXi    7.0     Any     CVE-2020-4004     9.3     critical
ESXi70U1b-17168206     Remove XHCI (USB 3.x) controller     None

ESXi    6.7    Any     CVE-2020-4004     9.3      critical
ESXi670-202011101-SG      Remove XHCI (USB 3.x) controller    None

ESXi    6.5    Any     CVE-2020-4004     9.3     critical
ESXi650-202011301-SG      Remove XHCI (USB 3.x) controller    None

Fusion    12.x     OS X     CVE-2020-4004     N/A     N/A    Unaffected
N/A     N/A

Fusion    11.x     OS X     CVE-2020-4004     9.3     critical
11.5.7      Remove XHCI (USB 3.x) controller       None

Workstation      16.x       Any      CVE-2020-4004     N/A       N/A
Unaffected      N/A      N/A

Workstation     15.x        Any     CVE-2020-4004     9.3      critical
15.5.7      Remove XHCI (USB 3.x) controller      None

VMware Cloud Foundation (ESXi)      4.x     Any      CVE-2020-4004
9.3     critical      Patch Pending       Remove XHCI (USB 3.x)
controller        None.

VMware Cloud Foundation (ESXi)     3.x     Any      CVE-2020-4004    9.3
critical     Patch Pending      Remove XHCI (USB 3.x) controller     None

3b. VMX elevation-of-privilege vulnerability (CVE-2020-4005)

Description

VMware ESXi contains a privilege-escalation vulnerability that exists in
the way certain system calls are being managed. VMware has evaluated the
severity of this issue to be in the Important severity range with a
maximum CVSSv3 base score of 8.8.

Known Attack Vectors

A malicious actor with privileges within the VMX process only, may
escalate their privileges on the affected system. Successful
exploitation of this issue is only possible when chained with another
vulnerability (e.g. CVE-2020-4004).

Resolution

To remediate CVE-2020-4005 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' found below.


Workarounds

None.


Additional Documentation

None.


Acknowledgements

VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo
360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for
reporting this issue to us.


Notes

None.


Response Matrix:
Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

ESXi     7.0     Any      CVE-2020-4005    8.8     important
ESXi70U1b-17168206      None      None

ESXi     6.7     Any     CVE-2020-4005     8.8     important
ESXi670-202011101-SG     None      None

ESXi     6.5     Any     CVE-2020-4005     8.8     important
ESXi650-202011301-SG     None      None

VMware Cloud Foundation (ESXi)     4.x     Any     CVE-2020-4005
8.8      important     Patch pending     None      None

VMware Cloud Foundation (ESXi)     3.x     Any     CVE-2020-4005
8.8      important      Patch Pending     None     None


4. References

VMware ESXi 7.0 ESXi70U1b-17168206
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1b.html

VMware ESXi 6.7 ESXi670-202011101-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011002.html

VMware ESXi 6.5 ESXi650-202011301-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011002.html

VMware Workstation Pro 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4004
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4005

FIRST CVSSv3 Calculator:
CVE-2020-4004 -
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-4005 -
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H


5. Change Log

2020-11-19 VMSA-2020-0026
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org


E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC


Copyright 2020 VMware Inc. All rights reserved.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================