Critical

VMSA-2020-0015.2
4.0 - 9.3
2020-06-23
2020-07-02
CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971
VMware Cloud Foundation, ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Cloud Foundation
2. Introduction

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products as well as workarounds. 

3a. Use-after-free vulnerability in SVGA device (CVE-2020-3962)

Description

VMware ESXi, Workstation and Fusion contain a Use-after-free vulnerability in the SVGA device. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors

A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine.

Resolution

To remediate CVE-2020-3962 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3962 have been been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) from Synacktiv (@Synacktiv) working with Trend Micro's Zero Day Initiative for reporting this issue to us.

Notes

[1] 3D graphics are not enabled by default on ESXi.
[2] 3D graphics are enabled by default on Workstation and Fusion.

3b. Off-by-one heap-overflow vulnerability in SVGA device (CVE-2020-3969)

Description

VMware ESXi, Workstation and Fusion contain an off-by-one heap-overflow vulnerability in the SVGA device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.

Resolution

To remediate CVE-2020-3969 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3969 have been been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) from Synacktiv (@Synacktiv) working with Trend Micro's Zero Day Initiative for reporting this issue to us.

Notes

[1] 3D graphics are not enabled by default on ESXi.
[2] 3D graphics are enabled by default on Workstation and Fusion.
[3] CVE-2020-3969 does not affect the ESXi 6.7 or 6.5 release lines.

3c. Out-of-bound read issue in Shader Functionality (CVE-2020-3970)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability in the Shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.0.

Known Attack Vectors

A malicious actor with non-administrative local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to crash the virtual machine's vmx process leading to a partial denial of service condition.

Resolution

To remediate CVE-2020-3970 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3970 have been been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Wei Lei and anhdaden of STAR Labs working with Trend Micro Zero Day Initiative for reporting this issue to us.

Notes

[1] 3D graphics are not enabled by default on ESXi.
[2] 3D graphics are enabled by default on Workstation and Fusion.

Response Matrix - 3a, 3b, 3c

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi[1]
7.0
Any
CVE-2020-3962, CVE-2020-3969, CVE-2020-3970
critical
ESXi_7.0.0-1.20.16321839
None
ESXi[1]
6.7
Any
CVE-2020-3962, [3]CVE-2020-3969, CVE-2020-3970
critical
ESXi670-202004101-SG
None
ESXi[1]
6.5
Any
CVE-2020-3962, [3]CVE-2020-3969, CVE-2020-3970
critical
ESXi650-202005401-SG
None
Fusion[2]
11.x
Any
CVE-2020-3962, CVE-2020-3969, CVE-2020-3970
critical
11.5.5
None
Workstation[2]
15.x
Any
CVE-2020-3962, CVE-2020-3969, CVE-2020-3970
critical
15.5.5
None
VMware Cloud Foundation
4.x
Any
CVE-2020-3962, CVE-2020-3969, CVE-2020-3970
critical
None
VMware Cloud Foundation
3.x
Any
CVE-2020-3962, [3]CVE-2020-3969 CVE-2020-3970
critical
None
3d. Heap-overflow issue in EHCI controller (CVE-2020-3967)

Description

VMware ESXi, Workstation and Fusion contain a heap-overflow vulnerability in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with local access to a virtual machine may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.

Resolution

To remediate CVE-2020-3967 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3967 have been been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us.

Notes

None.

3e. Out-of-bounds write vulnerability in xHCI controller (CVE-2020-3968)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability in the USB 3.0 controller (xHCI). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to crash the virtual machine's vmx process leading to a denial of service condition or execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.

Resolution

To remediate CVE-2020-3968 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3968 have been been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us.

Notes

None.

Response Matrix - 3d, 3e

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3967, CVE-2020-3968
important
ESXi_7.0.0-1.20.16321839
None
ESXi
6.7
Any
CVE-2020-3967, CVE-2020-3968
important
ESXi670-202004101-SG
None
ESXi
6.5
Any
CVE-2020-3967, CVE-2020-3968
important
ESXi650-202005401-SG
None
Fusion
11.x
Any
CVE-2020-3967, CVE-2020-3968
important
11.5.5
None
Workstation
15.x
Any
CVE-2020-3967, CVE-2020-3968
important
15.5.5
None
VMware Cloud Foundation
4.x
Any
CVE-2020-3967, CVE-2020-3968
important
None.
VMware Cloud Foundation
3.x
Any
CVE-2020-3967, CVE-2020-3968
important
None
3f. Heap-overflow due to race condition in EHCI controller (CVE-2020-3966)

Description

VMware ESXi, Workstation and Fusion contain a heap-overflow due to a race condition issue in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with local access to a virtual machine may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.

Resolution

To remediate CVE-2020-3966 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3966 have been been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us.

Notes

None.

Response Matrix - 3f

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3966
important
ESXi_7.0.0-1.20.16321839
None
ESXi
6.7
Any
CVE-2020-3966
important
ESXi670-202004101-SG
None
ESXi
6.5
Any
CVE-2020-3966
important
ESXi650-202005401-SG
None
Fusion
11.x
Any
CVE-2020-3966
important
11.5.2
None
Workstation
15.x
Any
CVE-2020-3966
important
15.5.2
None
VMware Cloud Foundation
4.x
Any
CVE-2020-3966
important
None
VMware Cloud Foundation
3.x
Any
CVE-2020-3966
important
None
3g. Information leak in the XHCI USB controller (CVE-2020-3965)

Description

VMware ESXi, Workstation and Fusion contain an information leak in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with local access to a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

Resolution

To remediate CVE-2020-3965 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3965 have been been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Cfir Cohen of Google Cloud security for reporting this issue to us.

Notes

None.

3h. Information Leak in the EHCI USB controller (CVE-2020-3964)

Description

VMware ESXi, Workstation and Fusion contain an information leak in the EHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors

A malicious actor with local access to a virtual machine may be able to read privileged information contained in the hypervisor's memory. Additional conditions beyond the attacker's control need to be present for exploitation to be possible.

Resolution

To remediate CVE-2020-3964 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3964 have been been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Cfir Cohen of Google Cloud security for reporting this issue to us.

Notes

None.

3i. Use-after-free vulnerability in PVNVRAM (CVE-2020-3963)

Description

VMware ESXi, Workstation and Fusion contain a Use-after-free vulnerability in PVNVRAM. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors

A malicious actor with local access to a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. Additional conditions beyond the attacker's control need to be present for exploitation to be possible.

Resolution

To remediate CVE-2020-3963 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Cfir Cohen of Google Cloud security for reporting this issue to us.

Notes

[4]The workarounds documented in the Response Matrix below are not applicable to CVE-2020-3963.

Response Matrix - 3g, 3h, 3i

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3965, CVE-2020-3963, CVE-2020-3964
important
ESXi_7.0.0-1.20.16321839
None
ESXi
6.7
Any
CVE-2020-3965, CVE-2020-3963, CVE-2020-3964
important
ESXi670-202006401-SG
None
ESXi
6.5
Any
CVE-2020-3965, CVE-2020-3963, CVE-2020-3964
important
ESXi650-202005401-SG
None
Fusion
11.x
Any
CVE-2020-3965, CVE-2020-3963, CVE-2020-3964
important
11.5.2
None
Workstation
15.x
Any
CVE-2020-3965, CVE-2020-3963, CVE-2020-3964
important
15.5.2
None
VMware Cloud Foundation
4.x
Any
CVE-2020-3965, CVE-2020-3963, CVE-2020-3964
important
None
VMware Cloud Foundation
3.x
Any
CVE-2020-3965, CVE-2020-3963, CVE-2020-3964
important
3.10.0.1
None
3j. Heap overflow vulnerability in vmxnet3 (CVE-2020-3971)

Description

VMware ESXi, Fusion and Workstation contain a heap overflow vulnerability in the vmxnet3 virtual network adapter. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors

A malicious actor with local access to a virtual machine with a vmxnet3 network adapter present may be able to read privileged information contained in hypervisor memory from a virtual machine. Additional conditions beyond the attacker's control need to be present for exploitation to be possible.

Resolution

To remediate CVE-2020-3971 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Tianwen Tang(VictorV) of Qihoo 360Vulcan Team for reporting this issue to us.

Notes

None.

Response Matrix - 3j

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3971
N/A
N/A
Unaffected
N/A
N/A
ESXi
6.7
Any
CVE-2020-3971
moderate
ESXi670-201904101-SG
None.
None
ESXi
6.5
Any
CVE-2020-3971
moderate
ESXi650-201907101-SG
None
None
Fusion
11.x
Any
CVE-2020-3971
moderate
11.0.2
None
None
Workstation
15.x
Any
CVE-2020-3971
moderate
15.0.2
None
None
VMware Cloud Foundation
4.x
Any
CVE-2020-3971
N/A
N/A
Unaffected
None
None
VMware Cloud Foundation
3.x
Any
CVE-2020-3971
moderate
None
None
4. References

Downloads and Documentation:

 

VMware Patch Release ESXi 7.0b
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html

VMware ESXi 6.7 ESXi670-202004101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202004002.html

VMware ESXi 6.7 ESXi670-201904101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u2-release-notes.html


VMware ESXi 6.5 ESXi650-202005401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202005001.html

VMware ESXi 6.5 ESXi650-201907101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-esxi-65u3-release-notes.html


VMware Workstation Pro 15.5.5 (Latest)
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.5 (Latest)
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.5 (Latest)
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

VMware Cloud Foundation 4.0.1
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.0.1/rn/VMware-Cloud-Foundation-401-Release-Notes.html

 

VMware Cloud Foundation 3.10.0.1
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10/rn/VMware-Cloud-Foundation-310-Release-Notes.html#3.10.0.1-Release

 

VMware Cloud Foundation 3.7.2
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.7.2/rn/VMware-Cloud-Foundation-372-Release-Notes.html

 

VMware Cloud Foundation

https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10/rn/VMware-Cloud-Foundation-310-Release-Notes.html

 

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3962
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3963
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3964
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3966
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3968
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3969
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3971

FIRST CVSSv3 Calculator:

CVE-2020-3962 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-3963 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2020-3964 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2020-3965 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2020-3966 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-3967 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-3968 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-3969 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-3970 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2020-3971 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

5. Change Log

2020-06-23 VMSA-2020-0015
Initial security advisory.

 

2020-06-25 VMSA-2020-0015.1

Updated advisory with remediation information for the VMware Cloud Foundation 4.x release line.

 

2020-07-02 VMSA-2020-0015.2

Updated advisory with remediation information for the VMware Cloud Foundation 3.x release line.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2020 VMware Inc. All rights reserved.