Advisory ID VMSA-2020-0005.2
Advisory Severity Important
CVSSv3 Range 3.2-7.3
Synopsis VMware Workstation, Fusion, VMware Remote Console and Horizon Client updates address privilege escalation and denial-of-service vulnerabilities (CVE-2020-3950, CVE-2020-3951)
Issue Date 2020-03-17
Updated On 2020-03-24
CVE(s) CVE-2020-3950, CVE-2020-3951
1. Impacted Products
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Remote Console for Mac (VMRC for Mac)
  • VMware Horizon Client for Mac
  • VMware Horizon Client for Windows
2. Introduction
VMware Workstation, Fusion, VMware Remote Console and Horizon Client updates address privilege escalation and denial-of-service vulnerabilities. Patches are available to remediate these vulnerabilities in affected VMware products.
 
3a. Privilege escalation vulnerability via setuid binaries (CVE-2020-3950 )

Description:

VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a privilege escalation vulnerability due to improper use of setuid binaries. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

 

Known Attack Vectors:

Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.

 

Resolution:
To remediate CVE-2020-3950, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Jeffball of GRIMM and Rich Mirch for independently reporting this issue to us.

 

Resolution Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
Fusion 11.x OS X CVE-2020-3950
7.3 Important 11.5.3 None None
VMRC for Mac 11.x and prior OS X CVE-2020-3950 7.3 Important 11.0.1 None None
Horizon Client for Mac 5.x and prior OS X CVE-2020-3950 7.3 Important 5.4.0 None None
3b. Denial of service vulnerability in Cortado Thinprint (CVE-2020-3951)

Description:

VMware Workstation and Horizon Client for Windows contain a denial-of-service vulnerability due to a heap-overflow issue in Cortado Thinprint. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.2.

 

Known Attack Vectors:

Attackers with non-administrative access to a guest VM with virtual printing enabled may exploit this issue to create a denial-of-service condition of the Thinprint service running on the system where Workstation or Horizon Client is installed.

 

Resolution:

To remediate CVE-2020-3951, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Dhanesh Kizhakkinan of FireEye Inc. for reporting this issue to us.

 

Notes:

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.

 

Resolution Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
Workstation   15.x Windows CVE-2020-3951 3.2 Low 15.5.2 None None
Workstation   15.x Linux CVE-2020-3951 N/A N/A Not affected
N/A N/A
Horizon Client for Windows 5.x and prior Windows CVE-2020-3951
3.2 Low
5.4.0 None
None

5. Change log
 

2020-03-17: VMSA-2020-0005

Initial security advisory in conjunction with the release of VMware Remote Console 11.0.1 and Horizon Client 5.4.0.

2020-03-18: VMSA-2020-0005.1
Updated security advisory with additional instructions found in KB78294 which must be applied after updating to Fusion 11.5.2 to remediate CVE-2020-3950.

 

2020-03-24: VMSA-2020-0005.2
Updated security advisory to add Fusion 11.5.3 in 'Fixed Version' which has a complete fix for CVE-2020-3950.

 

6. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2020 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: