Important

VMSA-2020-0005.2
3.2-7.3
2020-03-17
2020-03-24
CVE-2020-3950, CVE-2020-3951
VMware Workstation, Fusion, VMware Remote Console and Horizon Client updates address privilege escalation and denial-of-service vulnerabilities (CVE-2020-3950, CVE-2020-3951)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Remote Console for Mac (VMRC for Mac)
  • VMware Horizon Client for Mac
  • VMware Horizon Client for Windows
2. Introduction

VMware Workstation, Fusion, VMware Remote Console and Horizon Client updates address privilege escalation and denial-of-service vulnerabilities. Patches are available to remediate these vulnerabilities in affected VMware products.

3a. Privilege escalation vulnerability via setuid binaries (CVE-2020-3950 )

Description

VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a privilege escalation vulnerability due to improper use of setuid binaries. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

Known Attack Vectors

Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.

Resolution

To remediate CVE-2020-3950, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Jeffball of GRIMM and Rich Mirch for independently reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Fusion
11.x
OS X
CVE-2020-3950
important
11.5.3
None
None
VMRC for Mac
11.x and prior
OS X
CVE-2020-3950
important
11.0.1
None
None
Horizon Client for Mac
5.x and prior
OS X
CVE-2020-3950
important
5.4.0
None
None
3b. Denial of service vulnerability in Cortado Thinprint (CVE-2020-3951)

Description

VMware Workstation and Horizon Client for Windows contain a denial-of-service vulnerability due to a heap-overflow issue in Cortado Thinprint. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.2.

Known Attack Vectors

Attackers with non-administrative access to a guest VM with virtual printing enabled may exploit this issue to create a denial-of-service condition of the Thinprint service running on the system where Workstation or Horizon Client is installed.

Resolution

To remediate CVE-2020-3951, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.

Acknowledgements

VMware would like to thank Dhanesh Kizhakkinan of FireEye Inc. for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Workstation
15.x
Windows
CVE-2020-3951
low
15.5.2
None
None
Workstation
15.x
Linux
CVE-2020-3951
N/A
N/A
Not affected
N/A
N/A
Horizon Client for Windows
5.x and prior
Windows
CVE-2020-3951
low
5.4.0
None
None
4. References
5. Change Log

2020-03-17: VMSA-2020-0005
Initial security advisory in conjunction with the release of VMware Remote Console 11.0.1 and Horizon Client 5.4.0.

 

2020-03-18: VMSA-2020-0005.1

Updated security advisory with additional instructions found in KB78294 which must be applied after updating to Fusion 11.5.2 to remediate CVE-2020-3950.
 
2020-03-24: VMSA-2020-0005.2

Updated security advisory to add Fusion 11.5.3 in 'Fixed Version' which has a complete fix for CVE-2020-3950.

6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
 
This Security Advisory is posted to the following lists:
  security-announce@lists.vmware.com
  bugtraq@securityfocus.com
  fulldisclosure@seclists.org
 
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
 
VMware Security Advisories
https://www.vmware.com/security/advisories
 
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
 
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
 
VMware Security & Compliance Blog  
https://blogs.vmware.com/security
 
Twitter
https://twitter.com/VMwareSRC


 
Copyright 2020 VMware Inc. All rights reserved.