Important

VMSA-2020-0017
7.8
2020-07-09
2020-07-09 (Initial Advisory)
CVE-2020-3974
VMware Fusion, VMware Remote Console and Horizon Client updates address a privilege escalation vulnerability (CVE-2020-3974)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Remote Console for Mac (VMRC for Mac)
  • VMware Horizon Client for Mac
2. Introduction

A privilege escalation vulnerability in VMware Fusion, VMRC for Mac and Horizon Client for Mac was privately reported to VMware. Updates are available to address this vulnerability.

3. XPC Client validation privilege escalation vulnerability (CVE-2020-3974)

Description

VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a privilege escalation vulnerability due to improper XPC Client validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors

Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC for Mac or Horizon Client for Mac is installed.

Resolution

To remediate CVE-2020-3974, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Cees Elzinga of Danish Cyber Defence and Csaba Fitzl (@theevilbit) for independently reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Fusion
11.x
OS X
CVE-2020-3974
important
11.5.5
None
None
VMRC for Mac
11.x and prior
OS X
CVE-2020-3974
important
11.2.0
None
None
Horizon Client for Mac
5.x and prior
OS X
CVE-2020-3974
important
5.4.3
None
None
4. References
5. Change Log

2020-07-09: VMSA-2020-0017 Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
 
This Security Advisory is posted to the following lists:
  security-announce@lists.vmware.com
  bugtraq@securityfocus.com
  fulldisclosure@seclists.org
 
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
 
VMware Security Advisories
https://www.vmware.com/security/advisories
 
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
 
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
 
VMware Security & Compliance Blog  
https://blogs.vmware.com/security
 
Twitter
https://twitter.com/VMwareSRC


 
Copyright 2020 VMware Inc. All rights reserved.