Advisory ID VMSA-2020-0004.1
Advisory Severity Critical
CVSSv3 Range 7.3-9.3
Synopsis VMware Horizon Client, VMRC, VMware Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2019-5543, CVE-2020-3947, CVE-2020-3948)
Issue Date 2020-03-12
Updated On 2020-03-14
CVE(s) CVE-2019-5543, CVE-2020-3947 , CVE-2020-3948
1. Impacted Products
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Horizon Client for Windows
  • VMware Remote Console for Windows (VMRC for Windows)
2. Introduction
VMware Horizon Client, VMRC, VMware Workstation and Fusion contain use-after-free and privilege escalation vulnerabilities. Patches are available to remediate these vulnerabilities in affected VMware products.
 
3a. Use-after-free vulnerability in vmnetdhcp (CVE-2020-3947)

Description:

VMware Workstation and Fusion contain a use-after vulnerability in vmnetdhcp.VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

 

Known Attack Vectors:

Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine.

 

Resolution:

To remediate CVE-2020-3947, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.  

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Anonymous working with Trend Micro Zero Day Initiative for reporting this issue to us.

 

Resolution Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
Workstation
15.x
Any CVE-2020-3947
9.3
Critical
15.5.2
None None
Fusion 11.x OS X CVE-2020-3947 9.3 Critical 11.5.2 None None
3b. Local Privilege escalation vulnerability in Cortado Thinprint (CVE-2020-3948)

Description:

Linux Guest VMs running on VMware Workstation and Fusion contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Exploitation is only possible if virtual printing is enabled in the Guest VM. Virtual printing is not enabled by default on Workstation and Fusion.

 

Known Attack Vectors:

Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM.

 

Resolution:

To remediate CVE-2020-3948, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below and uninstall and reinstall VMware Virtual Printer for each VM.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us.

 

Resolution Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
Workstation
15.x
Any
CVE-2020-3948
7.8
Important
15.5.2
None None
Fusion
11.x OS X CVE-2020-3948
7.8
Important
11.5.2 None None
3c. VMware Horizon Client, VMRC and Workstation privilege escalation vulnerability (CVE-2019-5543)

Description:

For VMware Horizon Client for Windows, VMRC for Windows and Workstation for Windows the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

 

Known Attack Vectors:

A local user on the system where the software is installed may exploit this issue to run commands as any user.

 

Resolution:

To remediate CVE-2019-5543 update to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Lasse Trolle Borup of Danish Cyber Defence for reporting this issue to us.

 

Resolution Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
Horizon Client for Windows 5.x and prior Windows CVE-2019-5543 7.3 Important 5.3.0 None
None
VMRC for Windows 10.x Windows CVE-2019-5543 7.3 Important 11.0.0 None
None
Workstation for Windows 15.x
Windows
CVE-2019-5543
7.3
Important
15.5.2
None
None

4. References

 

Fixed Version(s) and Release Notes:

 

VMware Workstation Pro 15.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation

https://docs.vmware.com/en/VMware-Workstation-Pro/index.html


VMware Workstation Player 15.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

 

VMware Fusion 11.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

 

VMware Horizon Client for Windows 5.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=CART20FQ4_WIN_530&productId=863
https://docs.vmware.com/en/VMware-Horizon-Client/index.html

 

VMware Remote Console for Windows 11.0.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1100&productId=742
https://docs.vmware.com/en/VMware-Remote-Console/index.html

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3947
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3948

 

FIRST CVSSv3 Calculator:
CVE-2019-5543-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2020-3947-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2020-3948-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

5. Change log
 

2020-03-12: VMSA-2020-0004  

Initial security advisory in conjunction with the release of Workstation 15.5.2 and Fusion 11.5.2.

 

2020-03-14: VMSA-2020-0004.1
Clarified that the issue is present if virtual printing is enabled and that VMware Virtual Printer must be reinstalled to remediate the issue.

6. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2020 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: