Moderate

VMSA-2020-0020
3.8-6.7
2020-09-14
2020-09-14 (Initial Advisory)
CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990
VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Horizon Client for Windows
2. Introduction

Multiple vulnerabilities in VMware Workstation, Fusion and Horizon Client were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 

3a. PATH configuration privilege escalation vulnerability (CVE-2020-3980)

Description

VMware Fusion contains a privilege escalation vulnerability due to the way it allows configuring the system wide path. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.

Known Attack Vectors

An attacker with normal user privileges may exploit this issue to trick an admin user into executing malicious code on the system where Fusion is installed.

Resolution

To remediate CVE-2020-3980 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Rich Mirch from TeamARES of Critical Start for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Fusion
12.x
OS X
CVE-2020-3980
N/A
N/A
not affected
N/A
N/A
Fusion
11.x
OS X
CVE-2020-3980
moderate
patch pending
None
None
3b. Multiple out-of-bounds read vulnerabilities via Cortado ThinPrint (CVE-2020-3986, CVE-2020-3987, CVE-2020-3988)

Description

VMware Workstation and Horizon Client for Windows contain multiple out-of-bounds read vulnerabilities in Cortado ThinPrint component. These issues exist in the EMF and JPEG2000 parsers. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.2.

Known Attack Vectors

A malicious actor with normal access to a virtual machine may be able to exploit these issues to create a partial denial-of-service condition or to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Resolution

To remediate CVE-2020-3986 (EMF parser),  CVE-2020-3987 (EMR STRETCHDIBITS parser), and CVE-2020-3988 (JPEG2000 parser) apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank KPC of Trend Micro's Zero Day Initiative and pig working with Trend Micro's Zero Day Initiative for reporting these issues to us.

Notes

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client. 

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Horizon Client for Windows
5.x and prior
Windows
CVE-2020-3986, CVE-2020-3987, CVE-2020-3988
moderate
5.4.4
None
None
Workstation
16.x
Any
CVE-2020-3986, CVE-2020-3987, CVE-2020-3988
N/A
N/A
not affected
N/A
N/A
Workstation
15.x
Linux
CVE-2020-3986, CVE-2020-3987, CVE-2020-3988
N/A
N/A
not affected
N/A
N/A
Workstation
15.x
Windows
CVE-2020-3986, CVE-2020-3987, CVE-2020-3988
moderate
patch pending
None
None
3c. Denial-of-service vulnerability via Cortado ThinPrint (CVE-2020-3989)

Description

VMware Workstation and Horizon Client for Windows contain a denial of service vulnerability due to an out-of-bounds write issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8.

Known Attack Vectors

A malicious actor with normal access to a virtual machine may be able to exploit this issue to create a partial denial-of-service condition on the system where Workstation or Horizon Client for Windows is installed.

Resolution

To remediate CVE-2020-3989 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank linhlhq of VinCSS (Member of Vingroup) working with Trend Micro's Zero Day Initiative for reporting this issue to us.

Notes

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client. 

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Horizon Client for Windows
5.x and prior
Windows
CVE-2020-3989
low
5.4.4
None
None
Workstation
16.x
Any
CVE-2020-3989
N/A
N/A
not affected
N/A
N/A
Workstation
15.x
Linux
CVE-2020-3989
N/A
N/A
not affected
N/A
N/A
Workstation
15.x
Windows
CVE-2020-3989
low
patch pending
None
None
3d. Information disclosure vulnerability via Cortado ThinPrint (CVE-2020-3990)

VMware Workstation and Horizon Client for Windows contain an information disclosure vulnerability due to an integer overflow issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8.

Known Attack Vectors

A malicious actor with normal access to a virtual machine may be able to exploit this issue to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Resolution

To remediate CVE-2020-3990 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank linhlhq of VinCSS (Member of Vingroup) working with Trend Micro's Zero Day Initiative for reporting this issue to us.

Notes

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client. 

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Horizon Client for Windows
5.x and prior
Windows
CVE-2020-3990
low
5.4.4
None
None
Workstation
16.x
Any
CVE-2020-3990
N/A
N/A
not affected
N/A
N/A
Workstation
15.x
Linux
CVE-2020-3990
N/A
N/A
not affected
N/A
N/A
Workstation
15.x
Windows
CVE-2020-3990
low
patch pending
None
None
4. References

Fixed Version(s) and Release Notes:

 

VMware Workstation Pro 16.0 
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

 

VMware Workstation Player 16.0 
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

 

VMware Fusion 12.0 
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

 

VMware Horizon Client 5.4.4
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3986
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3987
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3989
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3990

 

FIRST CVSSv3 Calculator:

CVE-2020-3980 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2020-3986 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
CVE-2020-3987 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
CVE-2020-3988 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
CVE-2020-3989 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
CVE-2020-3990 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

5. Change Log

2020-09-14: VMSA-2020-0020 - Initial security advisory.

 

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog

https://blogs.vmware.com/security Twitterhttps://twitter.com/VMwareSRC

 

Twitter

https://twitter.com/VMwareSRC


Copyright 2020 VMware Inc. All rights reserved.