Critical

VMSA-2020-0023.3
5.9 - 9.8
2020-10-20
2020-11-24
CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995
VMware ESXi, Workstation, Fusion and NSX-T updates address multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • NSX-T
  • VMware Cloud Foundation
  • VMware vCenter Server
2. Introduction

IMPORTANT: The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely, see section (3a) Notes for an update.

 

Multiple vulnerabilities in VMware ESXi, Workstation, Fusion and NSX-T were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

3a. ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)

Description

OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Known Attack Vectors

A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

Resolution

To remediate CVE-2020-3992 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3992 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Lucas Leong (@_wmliang_) of Trend Micro's Zero Day Initiative for reporting this issue to us.

Notes

The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely. The ESXi patches listed in the Response Matrix below are updated versions that contain the complete fix for CVE-2020-3992. 

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3992
critical
ESXi70U1a-17119627
None
ESXi
6.7
Any
CVE-2020-3992
critical
ESXi670-202011301-SG
None
ESXi
6.5
Any
CVE-2020-3992
critical
ESXi650-202011401-SG
None
VMware Cloud Foundation (ESXi)
4.x
Any
CVE-2020-3992
critical
4.1.0.1
None.
VMware Cloud Foundation (ESXi)
3.x
Any
CVE-2020-3992
critical
3.10.1.2
None
3b. NSX-T MITM vulnerability (CVE-2020-3993)

Description

VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.

Resolution

To remediate CVE-2020-3993 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Kevin Kelpen of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.

Notes

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
NSX-T
3.x
Any
CVE-2020-3993
important
3.0.2
None
None
NSX-T
2.5.x
Any
CVE-2020-3993
important
2.5.2.2.0
None
None
VMware Cloud Foundation (NSX-T)
4.x
Any
CVE-2020-3993
important
4.1
None
None.
VMware Cloud Foundation (NSX-T)
3.x
Any
CVE-2020-3993
important
3.10.1.1
None.
None
3c. TOCTOU out-of-bounds read vulnerability (CVE-2020-3981)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process. 

Resolution

To remediate CVE-2020-3981 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Reno Robert working with Trend Micro's Zero Day Initiative for reporting this issue to us.

Notes

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3981
important
ESXi_7.0.1-0.0.16850804
None.
None
ESXi
6.7
Any
CVE-2020-3981
important
ESXi670-202008101-SG
None
None
ESXi
6.5
Any
CVE-2020-3981
important
ESXi650-202007101-SG
None
None
Fusion
12.x
OS X
CVE-2020-3981
N/A
N/A
Unaffected
N/A
N/A
Fusion
11.x
OS X
CVE-2020-3981
important
11.5.6
None
None
Workstation
16.x
Any
CVE-2020-3981
N/A
N/A
Unaffected
N/A
N/A
Workstation
15.x
Any
CVE-2020-3981
important
15.5.7
None
None
VMware Cloud Foundation (ESXi)
4.x
Any
CVE-2020-3981
important
4.1
None
None.
VMware Cloud Foundation (ESXi)
3.x
Any
CVE-2020-3981
important
3.10.1
None
None
3d. TOCTOU out-of-bounds write vulnerability (CVE-2020-3982)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors

A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine's vmx process or corrupt hypervisor's memory heap.

Resolution

To remediate CVE-2020-3982 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Reno Robert working with Trend Micro's Zero Day Initiative for reporting this issue to us.

Notes

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3982
moderate
ESXi_7.0.1-0.0.16850804
None.
None
ESXi
6.7
Any
CVE-2020-3982
moderate
ESXi670-202008101-SG
None
None
ESXi
6.5
Any
CVE-2020-3982
moderate
ESXi650-202007101-SG
None
None
Fusion
12.x
OS X
CVE-2020-3982
N/A
N/A
Unaffected
N/A
N/A
Fusion
11.x
OS X
CVE-2020-3982
moderate
11.5.6
None
None
Workstation
16.x
Any
CVE-2020-3982
N/A
N/A
Unaffected
N/A
N/A
Workstation
15.x
Any
CVE-2020-3982
moderate
15.5.7
None
None
VMware Cloud Foundation (ESXi)
4.x
Any
CVE-2020-3982
moderate
4.1
None
None.
VMware Cloud Foundation (ESXi)
3.x
Any
CVE-2020-3982
moderate
3.10.1
None
None
3e. vCenter Server session hijack vulnerability in update function (CVE-2020-3994)

Description

VMware vCenter Server contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.

Resolution

To remediate CVE-2020-3994 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Thorsten Tüllmann, Karlsruhe Institute of Technology, for reporting this issue to us.

Notes

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server
7.0
Any
CVE-2020-3994
N/A
N/A
Unaffected
N/A
N/A
vCenter Server
6.7
Virtual Appliance
CVE-2020-3994
important
6.7 U3
None
None
vCenter Server
6.7
Windows
CVE-2020-3994
N/A
N/A
Unaffected
N/A
N/A
vCenter Server
6.5
Virtual Appliance
CVE-2020-3994
important
6.5 U3K
None
None
vCenter Server
6.5
Windows
CVE-2020-3994
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (vCenter Server)
4.x
Any
CVE-2020-3994
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (vCenter Server)
3.x
Any
CVE-2020-3994
important
3.9.0
None
None
3f. VMCI host driver memory leak vulnerability (CVE-2020-3995)

Description

The VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.

Resolution

To remediate CVE-2020-3995 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Tianwen Tang (VictorV) for reporting this issue to us.

Notes

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-3995
N/A
N/A
Unaffected
N/A
N/A
ESXi
6.7
Any
CVE-2020-3995
important
ESXi670-201908101-SG
None
None
ESXi
6.5
Any
CVE-2020-3995
important
ESXi650-201907101-SG
None
None
Fusion
11.x
OS X
CVE-2020-3995
important
11.1.0
None
None
Workstation
15.x
Any
CVE-2020-3995
important
15.1.0
None
None
VMware Cloud Foundation (ESXi)
4.x
Any
CVE-2020-3995
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (ESXi)
3.x
Any
CVE-2020-3995
important
3.9.0
None
None
4. References

VMware ESXi 7.0 ESXi70U1a-17119627
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1a.html

VMware ESXi 6.7 ESXi670-202011301-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011001.html

VMware ESXi 6.5 ESXi650-202011401-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011001.html

VMware Workstation Pro 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.6 
Downloads and Documentation:

https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

VMware NSX-T 3.0.2
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-302&productId=982&rPId=52624
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html

VMware NSX-T 2.5.2.2.0
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-2522&productId=673&rPId=53876
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html

VMware vCenter Server 6.7u3
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC67U3&productId=742&rPId=52126

VMware vCenter Server 6.5u3k
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K&productId=614&rPId=50173

VMware vCloud Foundation 4.1.0.1
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html#4.1.0.1

VMware vCloud Foundation 3.10.1.2
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.2

VMware vCloud Foundation 4.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html

VMware vCloud Foundation 3.10.1.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.1

VMware vCloud Foundation 3.9
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VCF390&productId=945&rPId=41516

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3992

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3993
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3995

FIRST CVSSv3 Calculator:
CVE-2020-
3981 - 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVE-2020-3982 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
CVE-2020-3992 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-3993 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-3994 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-3995 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

5. Change Log

2020-10-20 VMSA-2020-0023
Initial security advisory.

 

2020-11-04 VMSA-2020-0023.1
Updated patch versions in the response matrix of section (3a) after release of ESXi patches that completed the incomplete fix for CVE-2020-3992 on 2020-11-04.

 

2020-11-19: VMSA-2020-0023.2

Updated security advisory to add Workstation 15.x version in the response matrix of sections 3(c) and 3(d).

 

2020-11-24 VMSA-2020-0023.3
Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of section 3(a).

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2020 VMware Inc. All rights reserved.