Moderate
1. Impacted Products
- VMware ESXi
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
2. Introduction
A partial denial of service vulnerability in VMware ESXi and vCenter Server was privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products.
3. Partial denial of service vulnerability via authentication services (CVE-2020-3976)
Description
VMware ESXi and vCenter Server contain a partial denial of service vulnerability in their respective authentication services. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors
A malicious actor with network access to ESXi or vCenter may be able to exploit this vulnerability to exhaust memory resources resulting in a degradation of performance condition while the attack is sustained.
Resolution
To remediate CVE-2020-3976 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank weinull of Orz Team for reporting this issue to us.
Notes
None.
Response Matrix
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
ESXi
|
7.0
|
Any
|
CVE-2020-3976
|
moderate
|
None
|
None
|
||
ESXi
|
6.7
|
Any
|
CVE-2020-3976
|
moderate
|
None
|
None
|
||
ESXi
|
6.5
|
Any
|
CVE-2020-3976
|
moderate
|
None
|
None
|
||
Cloud Foundation (ESXi)
|
4.x.x
|
Any
|
CVE-2020-3976
|
moderate
|
None
|
None
|
||
Cloud Foundation (ESXi)
|
3.x.x
|
Any
|
CVE-2020-3976
|
moderate
|
None
|
None
|
||
vCenter Server
|
7.0
|
Any
|
CVE-2020-3976
|
moderate
|
None
|
None
|
||
vCenter Server
|
6.7
|
Any
|
CVE-2020-3976
|
moderate
|
None
|
None
|
||
vCenter Server
|
6.5
|
Any
|
CVE-2020-3976
|
moderate
|
None
|
None
|
||
Cloud Foundation (vCenter)
|
4.x.x
|
Any
|
CVE-2020-3976
|
moderate
|
None
|
None
|
||
Cloud Foundation (vCenter)
|
3.x.x
|
Any
|
CVE-2020-3976
|
moderate
|
None
|
None
|
4. References
Downloads and Documentation:
VMware ESXi Patch Release 7.0b
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/esxi70b.html
VMware ESXi 6.7 ESXi670-202008101-SG and ESXi670-202008401-BG
https://my.vmware.com/group/vmware/patch
VMware ESXi 6.5 ESXi650-202007101-SG and ESXi650-202007401-BG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202007001.html
vCenter Server 7.0.0b
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC700B&productId=974&rPId=50093
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-700b-release-notes.html
vCenter Server 6.7u3j
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC67U3J&productId=742&rPId=50446
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3j-release-notes.html
vCenter Server 6.5u3k
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K&productId=614&rPId=50173
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3k-release-notes.html
VMware Cloud Foundation 4.0.1
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF401&productId=1015&rPId=48125
VMware Cloud Foundation 3.10.0
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF310&productId=1001&rPId=46540
VMware Cloud Foundation 3.10.1
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3976
FIRST CVSSv3 Calculator:
CVE-2020-3976 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5. Change Log
2020-08-20 VMSA-2020-0018
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2020 VMware Inc. All rights reserved.