Critical

VMSA-2020-0026.1
8.8 - 9.3
2020-11-19
2020-11-24
CVE-2020-4004, CVE-2020-4005
VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Cloud Foundation
2. Introduction

 

Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

3a. Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004)

Description

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Resolution

To remediate CVE-2020-4004 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-4004 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for reporting this issue to us.

Notes

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-4004
critical
ESXi70U1b-17168206
None
ESXi
6.7
Any
CVE-2020-4004
critical
ESXi670-202011101-SG
None
ESXi
6.5
Any
CVE-2020-4004
critical
ESXi650-202011301-SG
None
Fusion
12.x
OS X
CVE-2020-4004
N/A
N/A
Unaffected
N/A
N/A
Fusion
11.x
OS X
CVE-2020-4004
critical
11.5.7
None
Workstation
16.x
Any
CVE-2020-4004
N/A
N/A
Unaffected
N/A
N/A
Workstation
15.x
Any
CVE-2020-4004
critical
15.5.7
None
VMware Cloud Foundation (ESXi)
4.x
Any
CVE-2020-4004
critical
4.1.0.1
None.
VMware Cloud Foundation (ESXi)
3.x
Any
CVE-2020-4004
critical
3.10.1.2
None
3b. VMX elevation-of-privilege vulnerability (CVE-2020-4005)

Description

VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

Known Attack Vectors

A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability (e.g. CVE-2020-4004).

Resolution

To remediate CVE-2020-4005 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for reporting this issue to us.

Notes

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2020-4005
important
ESXi70U1b-17168206
None
None
ESXi
6.7
Any
CVE-2020-4005
important
ESXi670-202011101-SG
None
None
ESXi
6.5
Any
CVE-2020-4005
important
ESXi650-202011301-SG
None
None
VMware Cloud Foundation (ESXi)
4.x
Any
CVE-2020-4005
important
4.1.0.1
None
None
VMware Cloud Foundation (ESXi)
3.x
Any
CVE-2020-4005
important
3.10.1.2
None
None
4. References

VMware ESXi 7.0 ESXi70U1b-17168206
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1b.html

VMware ESXi 6.7 ESXi670-202011101-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011002.html

VMware ESXi 6.5 ESXi650-202011301-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011002.html

VMware Workstation Pro 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.7
Downloads and Documentation:

https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

VMware vCloud Foundation 4.1.0.1
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html#4.1.0.1

VMware vCloud Foundation 3.10.1.2
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.2

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4004
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4005

FIRST CVSSv3 Calculator:
CVE-2020-4004 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-4005 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

5. Change Log

2020-11-19 VMSA-2020-0026
Initial security advisory.

 

2020-11-24 VMSA-2020-0026.1
Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of sections 3(a) and 3(b).

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2020 VMware Inc. All rights reserved.