Important

VMSA-2020-0011
3.3-7.3
2020-05-28
2020-05-28 (Initial Advisory)
CVE-2020-3957, CVE-2020-3958, CVE-2020-3959
VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3957, CVE-2020-3958, CVE-2020-3959)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Remote Console for Mac (VMRC for Mac)
  • VMware Horizon Client for Mac
2. Introduction

Multiple security vulnerabilities in VMware ESXi, Workstation, Fusion, VMRC and Horizon Client were privately reported to VMware. Patches and workarounds are available to remediate or workaround these vulnerabilities in affected VMware products

3a. Service opener - Time-of-check Time-of-use (TOCTOU) issue (CVE-2020-3957)

Description

VMware Fusion, VMRC and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOCTOU) issue in the service opener. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

Known Attack Vectors

Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC and Horizon Client are installed.

Resolution

To remediate CVE-2020-3957 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Rich Mirch of TeamARES from Critical Start Inc. and Jeffball of GRIMM for independently reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Fusion
11.x
OS X
CVE-2020-3957
important
11.5.5
None
None
VMRC for Mac
11.x and prior
OS X
CVE-2020-3957
important
Patch Pending
None
None
Horizon Client for Mac
5.x and prior
OS X
CVE-2020-3957
important
Patch Pending
None
None
3b. Denial-of-service vulnerability in Shader functionality (CVE-2020-3958)

Description

VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.0

Known Attack Vectors

Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

Successful exploitation of this issue may allow attackers with non-administrative access to a virtual machine to crash the virtual machine's vmx process leading to a denial of service condition.

Resolution

To remediate CVE-2020-3958 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3958 have been been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.

Notes

None.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3958
N/A
N/A
Unaffected
N/A
N/A
ESXi
6.7
Any
CVE-2020-3958
moderate
ESXi670-202004101-SG
None
ESXi
6.5
Any
CVE-2020-3958
moderate
ESXi650-202005401-SG
None
Workstation
15.x
Any
CVE-2020-3958
moderate
15.5.2
None
Fusion
11.x
OS X
CVE-2020-3958
moderate
11.5.2
None
3c. Memory leak vulnerability in VMCI module (CVE-2020-3959)

Description

VMware ESXi, Workstation and Fusion contain a memory leak vulnerability in the VMCI module. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.3.

Known Attack Vectors

A malicious actor with local non-administrative access to a virtual machine may be able to crash the virtual machine's vmx process leading to a partial denial of service.

Resolution

To remediate CVE-2020-3959 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Tianwen Tang(VictorV) of Qihoo 360Vulcan Team working with 360 BugCloud for reporting this issue to us.

Notes

None.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3959
N/A
N/A
Unaffected
N/A
N/A
ESXi
6.7
Any
CVE-2020-3959
low
ESXi670-202004101-SG
None
None
ESXi
6.5
Any
CVE-2020-3959
low
ESXi650-202005401-SG
None
None
Workstation
15.x
Any
CVE-2020-3959
moderate
15.1.0
None
None
Fusion
11.x
OS X
CVE-2020-3959
low
11.1.0
None
None
4. References
5. Change Log

2020-05-28: VMSA-2020-0011 - Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog

https://blogs.vmware.com/security Twitterhttps://twitter.com/VMwareSRC

 

Twitter

https://twitter.com/VMwareSRC


Copyright 2020 VMware Inc. All rights reserved.