Moderate

VMSA-2020-0018
5.3
2020-08-20
2020-08-20 (Initial Advisory)
CVE-2020-3976
VMware ESXi, vCenter Server, and Cloud Foundation updates address a partial denial of service vulnerability (CVE-2020-3976)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware ESXi
  • VMware vCenter Server
  • VMware Cloud Foundation
2. Introduction

A partial denial of service vulnerability in VMware ESXi and vCenter Server was privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products.

3. Partial denial of service vulnerability via authentication services (CVE-2020-3976)

Description

VMware ESXi and vCenter Server contain a partial denial of service vulnerability in their respective authentication services. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to ESXi or vCenter may be able to exploit this vulnerability to exhaust memory resources resulting in a degradation of performance condition while the attack is sustained.

Resolution

To remediate CVE-2020-3976 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank weinull of Orz Team for reporting this issue to us.

Notes

None.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3976
moderate
None
None
ESXi
6.7
Any
CVE-2020-3976
moderate
None
None
ESXi
6.5
Any
CVE-2020-3976
moderate
None
None
Cloud Foundation (ESXi)
4.x.x
Any
CVE-2020-3976
moderate
None
None
Cloud Foundation (ESXi)
3.x.x
Any
CVE-2020-3976
moderate
None
None
vCenter Server
7.0
Any
CVE-2020-3976
moderate
None
None
vCenter Server
6.7
Any
CVE-2020-3976
moderate
None
None
vCenter Server
6.5
Any
CVE-2020-3976
moderate
None
None
Cloud Foundation (vCenter)
4.x.x
Any
CVE-2020-3976
moderate
None
None
Cloud Foundation (vCenter)
3.x.x
Any
CVE-2020-3976
moderate
None
None
4. References

Downloads and Documentation:

 

VMware ESXi Patch Release 7.0b

https://my.vmware.com/group/vmware/patch

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/esxi70b.html


VMware ESXi 6.7 ESXi670-202008101-SG and ESXi670-202008401-BG

https://my.vmware.com/group/vmware/patch


VMware ESXi 6.5 ESXi650-202007101-SG and ESXi650-202007401-BG

https://my.vmware.com/group/vmware/patch

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202007001.html


vCenter Server 7.0.0b

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC700B&productId=974&rPId=50093

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-700b-release-notes.html


vCenter Server 6.7u3j

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC67U3J&productId=742&rPId=50446

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3j-release-notes.html


vCenter Server 6.5u3k

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K&productId=614&rPId=50173

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3k-release-notes.html

 

VMware Cloud Foundation 4.0.1

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF401&productId=1015&rPId=48125


VMware Cloud Foundation 3.10.0

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF310&productId=1001&rPId=46540


VMware Cloud Foundation 3.10.1

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF3101&productId=1001&rPId=51823

 

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3976

FIRST CVSSv3 Calculator:
CVE-2020-3976 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5. Change Log

2020-08-20 VMSA-2020-0018

Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2020 VMware Inc. All rights reserved.