Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1892
Security vulnerabilities addressed in VMWare ESXi,
Workstation, Fusion, Remote Console and Horizon Client
1 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMWare ESXi
VMWare Workstation
VMWare Fusion
VMWare Remote Console
VMWare Horizon Client
Publisher: VMWare
Operating System: Mac OS
Windows
Virtualisation
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3959 CVE-2020-3958 CVE-2020-3957
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2020-0011.html
- --------------------------BEGIN INCLUDED TEXT--------------------
+-----------------------------------------------------------------------------+
|Advisory|VMSA-2020-0011 |
|ID | |
|--------+--------------------------------------------------------------------|
|Advisory|Important |
|Severity| |
|--------+--------------------------------------------------------------------|
|CVSSv3 |3.3-7.3 |
|Range | |
|--------+--------------------------------------------------------------------|
| |VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon |
|Synopsis|Client updates address multiple security vulnerabilities |
| |(CVE-2020-3957, CVE-2020-3958, CVE-2020-3959) |
|--------+--------------------------------------------------------------------|
|Issue |2020-05-28 |
|Date | |
|--------+--------------------------------------------------------------------|
|Updated |2020-05-28 (Initial Advisory) |
|On | |
|--------+--------------------------------------------------------------------|
|CVE(s) |CVE-2020-3957, CVE-2020-3958, CVE-2020-3959 |
+-----------------------------------------------------------------------------+
1. Impacted Products
* VMware ESXi
* VMware Workstation Pro / Player (Workstation)
* VMware Fusion Pro / Fusion (Fusion)
* VMware Remote Console for Mac (VMRC for Mac)
* VMware Horizon Client for Mac
2. Introduction
Multiple security vulnerabilities in VMware ESXi, Workstation, Fusion, VMRC and
Horizon Client were privately reported to VMware. Patches and workarounds are
available to remediate or workaround these vulnerabilities in affected VMware
products.
3a. Service opener - Time-of-check Time-of-use (TOCTOU) issue (CVE-2020-3957)
Description:
VMware Fusion, VMRC and Horizon Client contain a local privilege escalation
vulnerability due to a Time-of-check Time-of-use (TOCTOU) issue in the service
opener. VMware has evaluated the severity of this issue to be in the Important
severity range with a maximum CVSSv3 base score of 7.3.
Known Attack Vectors:
Successful exploitation of this issue may allow attackers with normal user
privileges to escalate their privileges to root on the system where Fusion,
VMRC and Horizon Client are installed.
Resolution:
To remediate CVE-2020-3957 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Rich Mirch of TeamARES from Critical Start
Inc. and Jeffball of GRIMM for independently reporting this issue to us.
Resolution Matrix:
+-------------------------------------------------------------------------------------+
|Product|Version|Running|CVE |CVSSV3|Severity |Fixed |Workarounds|Additional|
| | |On |Identifier | | |Version| |Documents |
|-------+-------+-------+-------------+------+---------+-------+-----------+----------|
|Fusion |11.x |OS X |CVE-2020-3957|7.3 |Important|11.5.5 |None |None |
|-------+-------+-------+-------------+------+---------+-------+-----------+----------|
|VMRC |11.x | | | | |Patch | | |
|for Mac|and |OS X |CVE-2020-3957|7.3 |Important|Pending|None |None |
| |prior | | | | | | | |
|-------+-------+-------+-------------+------+---------+-------+-----------+----------|
|Horizon|5.x and| | | | |Patch | | |
|Client |prior |OS X |CVE-2020-3957|7.3 |Important|Pending|None |None |
|for Mac| | | | | | | | |
+-------------------------------------------------------------------------------------+
3b. Denial-of-service vulnerability in Shader functionality (CVE-2020-3958)
Description:
VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability
in the shader functionality. VMware has evaluated the severity of this issue to
be in the Moderate severity range with a maximum CVSSv3 base score of 4.0.
Known Attack Vectors:
Exploitation of this issue require an attacker to have access to a virtual
machine with 3D graphics enabled. It is not enabled by default on ESXi and is
enabled by default on Workstation and Fusion.
Successful exploitation of this issue may allow attackers with
non-administrative access to a virtual machine to crash the virtual machine's
vmx process leading to a denial of service condition.
Resolution:
To remediate CVE-2020-3958 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds:
Workarounds for CVE-2020-3958 have been been listed in the 'Workarounds' column
of the 'Response Matrix' below.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue
to us.
Notes:
None.
Resolution Matrix:
+-----------------------------------------------------------------------------------------------------+
|Product |Version|Running|CVE |CVSSV3|Severity|Fixed Version |Workarounds|Additional|
| | |On |Identifier | | | | |Documents |
|-----------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|ESXi |7.0 |Any |CVE-2020-3958|N/A |N/A |Unaffected |N/A |N/A |
|-----------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|ESXi |6.7 |Any |CVE-2020-3958|4.0 |Moderate|ESXi670-202004101-SG|See Item 34|None |
|-----------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|ESXi |6.5 |Any |CVE-2020-3958|4.0 |Moderate|ESXi650-202005401-SG|See Item 34|None |
|-----------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|Workstation|15.x |Any |CVE-2020-3958|4.0 |Moderate|15.5.2 |KB59146 |None |
| | | | | | | | | |
|-----------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|Fusion |11.x |OS X |CVE-2020-3958|4.0 |Moderate|11.5.2 |KB59146 |None |
+-----------------------------------------------------------------------------------------------------+
3c. Memory leak vulnerability in VMCI module (CVE-2020-3959)
Description:
VMware ESXi, Workstation and Fusion contain a memory leak vulnerability in the
VMCI module. VMware has evaluated the severity of this issue to be in the Low
severity range with a maximum CVSSv3 base score of 3.3.
Known Attack Vectors:
A malicious actor with local non-administrative access to a virtual machine may
be able to crash the virtual machine's vmx process leading to a partial denial
of service.
Resolution:
To remediate CVE-2020-3959 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Tianwen Tang(VictorV) of Qihoo 360Vulcan Team
working with 360 BugCloud for reporting this issue to us.
Notes:
None.
Resolution Matrix:
+-----------------------------------------------------------------------------------------------------+
|Product |Version|Running|CVE |CVSSV3|Severity|Fixed Version |Workarounds|Additional|
| | |On |Identifier | | | | |Documents |
|-----------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|ESXi |7.0 |Any |CVE-2020-3959|N/A |N/A |Unaffected |N/A |N/A |
|-----------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|ESXi |6.7 |Any |CVE-2020-3959|3.3 |Low |ESXi670-202004101-SG|None |None |
|-----------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|ESXi |6.5 |Any |CVE-2020-3959|3.3 |Low |ESXi650-202005401-SG|None |None |
|-----------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|Workstation|15.x |Any |CVE-2020-3959|3.3 |Low |15.1.0 |None |None |
| | | | | | | | | |
|-----------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|Fusion |11.x |OS X |CVE-2020-3959|3.3 |Low |11.1.0 |None |None |
+-----------------------------------------------------------------------------------------------------+
4. References
Fixed Version(s) and Release Notes:
VMware ESXi 6.7 ESXi670-202004101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202004002.html
VMware ESXi 6.5 ESXi650-202005401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202005001.html
VMware Workstation Pro 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.5 (Latest)
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3959
FIRST CVSSv3 Calculator:
CVE-2020-3957- https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:U/C:H/I:H/A:L
CVE-2020-3958- https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2020-3959 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:U/C:N/I:N/A:L
5. Change log
2020-05-28: VMSA-2020-0011 - Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2020 VMware Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXtRauONLKJtyKPYoAQgqoRAAsCa7fwM90qf0ehDxMo1n7a8bMz+9C+l8
cIZUyXTg4e93uYkMKQAZ+NJMbrQnTntpSnXh4PZeUwiKAcvse2TTV3KYvqwmNNsn
5r+8DZFVNNNDD9UxH+X9hL9BWNtEJ98G+tWrcvnZVSTsShNke5zD8yVB2fu650sF
3OYG8Rh3cDzooeDYFShUbp0NtxSNAUtOPf2jX++wqgv8wQOTFbtNo3o7KiOkCIsq
F6XxMIbAwa8s+VHOrWN2SN74gQI0qfFD6IwHEkJqRNIG9Grtzi4QgrGYr7RapRrN
1Sxp/VkAukFxDKTX9ETbs0D+Eqh1qpTXsNnXwFAXMAMlBYSp4EpEZKBn73V2L18Z
XhillzGXtS4rKsW3tyUB+qWclXGHjLKjgDbIlDyJ4WW4nXRICKA8l29yh50n9esb
uOARNDqSQdrTi2oYKfbHafuHd+t6q1e84TQXTFDiAr/BDUgHEcPh4JLNebKNN31W
xHqOG/cInPFb69qHe/SLC7O81bQTnwlNn8SECcaMOmWEsk+t+FcoWT1yPJSRr3y9
ZSzCWYTE7qxEOz2tlV0qGSgm2q7ATVEcPKmEBMDGzb4DRK8+aBYuLlJp799QnJ2z
MtJ2lUPmRcpCV73P7nYRk/yHr3EmQK0F6MmwEnXY3a8cD87icX2cl0d/10uyskV+
Ev4SsbRFz1c=
=wm7V
-----END PGP SIGNATURE-----