Critical

VMSA-2020-0004.1
7.3-9.3
2020-03-12
2020-03-14
CVE-2019-5543, CVE-2020-3947 , CVE-2020-3948
VMware Horizon Client, VMRC, VMware Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2019-5543, CVE-2020-3947, CVE-2020-3948)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Horizon Client for Windows
  • VMware Remote Console for Windows (VMRC for Windows)
2. Introduction

VMware Horizon Client, VMRC, VMware Workstation and Fusion contain use-after-free and privilege escalation vulnerabilities. Patches are available to remediate these vulnerabilities in affected VMware products.

3a. Use-after-free vulnerability in vmnetdhcp (CVE-2020-3947)

Description

VMware Workstation and Fusion contain a use-after vulnerability in vmnetdhcp.VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors

Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine.

Resolution

To remediate CVE-2020-3947, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.  

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Anonymous working with Trend Micro Zero Day Initiative for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Workstation
15.x
Any
CVE-2020-3947
9.3
critical
15.5.2
None
None
Fusion
11.x
OS X
CVE-2020-3947
9.3
critical
11.5.2
None
None
3b. Local Privilege escalation vulnerability in Cortado Thinprint (CVE-2020-3948)

Description

Linux Guest VMs running on VMware Workstation and Fusion contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Exploitation is only possible if virtual printing is enabled in the Guest VM. Virtual printing is not enabled by default on Workstation and Fusion.

Known Attack Vectors

Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM.

Resolution

To remediate CVE-2020-3948, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below and uninstall and reinstall VMware Virtual Printer for each VM. 

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Workstation
15.x
Any
CVE-2020-3948
7.8
important
15.5.2
None
None
Fusion
11.x
OS X
CVE-2020-3948
7.8
important
11.5.2
None
None
3c. VMware Horizon Client, VMRC and Workstation privilege escalation vulnerability (CVE-2019-5543)

Description

For VMware Horizon Client for Windows, VMRC for Windows and Workstation for Windows the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

Known Attack Vectors

A local user on the system where the software is installed may exploit this issue to run commands as any user.

Resolution

To remediate CVE-2019-5543 update to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Lasse Trolle Borup of Danish Cyber Defence for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Horizon Client for Windows
5.x and prior
Windows
CVE-2019-5543
7.3
important
5.3.0
None
None
VMRC for Windows
10.x
Windows
CVE-2019-5543
7.3
important
11.0.0
None
None
Workstation for Windows
15.x
Windows
CVE-2019-5543
7.3
important
15.5.2
None
None
4. References
5. Change Log

2020-03-12: VMSA-2020-0004  
Initial security advisory in conjunction with the release of Workstation 15.5.2 and Fusion 11.5.2.
 
2020-03-14: VMSA-2020-0004.1

Clarified that the issue is present if virtual printing is enabled and that VMware Virtual Printer must be reinstalled to remediate the issue.

6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
 
This Security Advisory is posted to the following lists:
  security-announce@lists.vmware.com
  bugtraq@securityfocus.com
  fulldisclosure@seclists.org
 
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
 
VMware Security Advisories
https://www.vmware.com/security/advisories
 
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
 
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

 
VMware Security & Compliance Blog  
https://blogs.vmware.com/security
 
Twitter
https://twitter.com/VMwareSRC


 
Copyright 2020 VMware Inc. All rights reserved.