Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3598.2 VMSA-2020-0023 - VMware ESXi, Workstation, Fusion and NSX-T updates address multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995) 5 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) NSX-T VMware Cloud Foundation Publisher: VMware Operating System: Virtualisation VMware ESX Server Windows Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote with User Interaction Denial of Service -- Existing Account Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-3995 CVE-2020-3994 CVE-2020-3993 CVE-2020-3992 CVE-2020-3982 CVE-2020-3981 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2020-0023.html Revision History: November 5 2020: Vendor updated patch version detail in response matrix of section (3a) October 21 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Critical Advisory ID: VMSA-2020-0023.1 CVSSv3 Range: 5.9 - 9.8 Issue Date: 2020-10-20 Updated On: 2020-11-04 CVE(s): CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995 Synopsis: VMware ESXi, Workstation, Fusion and NSX-T updates address multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995) 1. Impacted Products o VMware ESXi o VMware Workstation Pro / Player (Workstation) o VMware Fusion Pro / Fusion (Fusion) o NSX-T o VMware Cloud Foundation o VMware vCenter Server 2. Introduction IMPORTANT: The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely, see section (3a) Notes for an update. Multiple vulnerabilities in VMware ESXi, Workstation, Fusion and NSX-T were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992) Description OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Known Attack Vectors A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. Resolution To remediate CVE-2020-3992 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2020-3992 have been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Acknowledgements VMware would like to thank Lucas Leong (@_wmliang_) of Trend Micro's Zero Day Initiative for reporting this issue to us. Notes The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely. The ESXi patches listed in the Response Matrix below are updated versions that contain the complete fix for CVE-2020-3992. Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation ESXi 7.0 Any CVE-2020-3992 9.8 critical ESXi70U1a-17119627 KB76372 None ESXi 6.7 Any CVE-2020-3992 9.8 critical ESXi670-202011301-SG KB76372 None ESXi 6.5 Any CVE-2020-3992 9.8 critical ESXi650-202011401-SG KB76372 None VMware Cloud 4.x Any CVE-2020-3992 9.8 critical Patch pending KB76372 None. Foundation (ESXi) VMware Cloud 3.x Any CVE-2020-3992 9.8 critical Patch Pending KB76372 None Foundation (ESXi) 3b. NSX-T MITM vulnerability (CVE-2020-3993) Description VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node. Resolution To remediate CVE-2020-3993 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Kevin Kelpen of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us. Notes None. Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Workarounds Additional On Identifier Version Documentation NSX-T 3.x Any CVE-2020-3993 7.5 important 3.0.2 None None NSX-T 2.5.x Any CVE-2020-3993 7.5 important 2.5.2.2.0 None None VMware Cloud 4.x Any CVE-2020-3993 7.5 important 4.1 None None. Foundation (NSX-T) VMware Cloud 3.x Any CVE-2020-3993 7.5 important 3.10.1.1 None. None Foundation (NSX-T) 3c. TOCTOU out-of-bounds read vulnerability (CVE-2020-3981) Description VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1. Known Attack Vectors A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process. Resolution To remediate CVE-2020-3981 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Reno Robert working with Trend Micro's Zero Day Initiative for reporting this issue to us. Notes None. Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation ESXi 7.0 Any CVE-2020-3981 7.1 important ESXi_7.0.1-0.0.16850804 None. None ESXi 6.7 Any CVE-2020-3981 7.1 important ESXi670-202008101-SG None None ESXi 6.5 Any CVE-2020-3981 7.1 important ESXi650-202007101-SG None None Fusion 12.x OS X CVE-2020-3981 N/A N/A Unaffected N/A N/A Fusion 11.x OS X CVE-2020-3981 7.1 important 11.5.6 None None Workstation 16.x Any CVE-2020-3981 N/A N/A Unaffected N/A N/A Workstation 15.x Any CVE-2020-3981 7.1 important Patch pending None None VMware Cloud 4.x Any CVE-2020-3981 7.1 important 4.1 None None. Foundation (ESXi) VMware Cloud 3.x Any CVE-2020-3981 7.1 important 3.10.1 None None Foundation (ESXi) 3d. TOCTOU out-of-bounds write vulnerability (CVE-2020-3982) Description VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. Known Attack Vectors A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine's vmx process or corrupt hypervisor's memory heap. Resolution To remediate CVE-2020-3982 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Reno Robert working with Trend Micro's Zero Day Initiative for reporting this issue to us. Notes None. Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation ESXi 7.0 Any CVE-2020-3982 5.9 moderate ESXi_7.0.1-0.0.16850804 None. None ESXi 6.7 Any CVE-2020-3982 5.9 moderate ESXi670-202008101-SG None None ESXi 6.5 Any CVE-2020-3982 5.9 moderate ESXi650-202007101-SG None None Fusion 12.x OS X CVE-2020-3982 N/A N/A Unaffected N/A N/A Fusion 11.x OS X CVE-2020-3982 5.9 moderate 11.5.6 None None Workstation 16.x Any CVE-2020-3982 N/A N/A Unaffected N/A N/A Workstation 15.x Any CVE-2020-3982 5.9 moderate Patch pending None None VMware Cloud 4.x Any CVE-2020-3982 5.9 moderate 4.1 None None. Foundation (ESXi) VMware Cloud 3.x Any CVE-2020-3982 5.9 moderate 3.10.1 None None Foundation (ESXi) 3e. vCenter Server session hijack vulnerability in update function (CVE-2020-3994) Description VMware vCenter Server contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates. Resolution To remediate CVE-2020-3994 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Thorsten Tullmann, Karlsruhe Institute of Technology, for reporting this issue to us. Notes None. Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Workarounds Additional On Identifier Version Documentation vCenter 7.0 Any CVE-2020-3994 N/A N/A Unaffected N/A N/A Server vCenter 6.7 Virtual CVE-2020-3994 7.5 important 6.7 U3 None None Server Appliance vCenter 6.7 Windows CVE-2020-3994 N/A N/A Unaffected N/A N/A Server vCenter 6.5 Virtual CVE-2020-3994 7.5 important 6.5 U3K None None Server Appliance vCenter 6.5 Windows CVE-2020-3994 N/A N/A Unaffected N/A N/A Server VMware Cloud Foundation 4.x Any CVE-2020-3994 N/A N/A Unaffected N/A N/A (vCenter Server) VMware Cloud Foundation 3.x Any CVE-2020-3994 7.5 important 3.9.0 None None (vCenter Server) 3f. VMCI host driver memory leak vulnerability (CVE-2020-3995) Description The VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1. Known Attack Vectors A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time. Resolution To remediate CVE-2020-3995 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Tianwen Tang (VictorV) for reporting this issue to us. Notes None. Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation ESXi 7.0 Any CVE-2020-3995 N/A N/A Unaffected N/A N/A ESXi 6.7 Any CVE-2020-3995 7.1 important ESXi670-201908101-SG None None ESXi 6.5 Any CVE-2020-3995 7.1 important ESXi650-201907101-SG None None Fusion 11.x OS X CVE-2020-3995 7.1 important 11.1.0 None None Workstation 15.x Any CVE-2020-3995 7.1 important 15.1.0 None None VMware Cloud 4.x Any CVE-2020-3995 N/A N/A Unaffected N/A N/A Foundation (ESXi) VMware Cloud 3.x Any CVE-2020-3995 7.1 important 3.9.0 None None Foundation (ESXi) 4. References VMware ESXi 7.0 ESXi70U1a-17119627 Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1a.html VMware ESXi 6.7 ESXi670-202011301-SG Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011001.html VMware ESXi 6.5 ESXi650-202011401-SG Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011001.html VMware Workstation Pro 15.5.6 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 15.5.6 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion 11.5.6 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html VMware NSX-T 3.0.2 Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-302& productId=982&rPId=52624 https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html VMware NSX-T 2.5.2.2.0 Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-2522& productId=673&rPId=53876 https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html VMware vCenter Server 6.7u3 Downloads and Documentation: https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC67U3& productId=742&rPId=52126 VMware vCenter Server 6.5u3k Downloads and Documentation: https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K& productId=614&rPId=50173 VMware vCloud Foundation 4.1 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/ VMware-Cloud-Foundation-41-Release-Notes.html VMware vCloud Foundation 3.10.1.1 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/ VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.1 VMware vCloud Foundation 3.9 Downloads and Documentation: https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VCF390& productId=945&rPId=41516 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3981 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3982 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3992 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3993 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3994 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3995 FIRST CVSSv3 Calculator: CVE-2020-3981 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2020-3982 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/ PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2020-3992 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-3993 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/ PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-3994 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/ PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-3995 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:N/UI:N/S:C/C:N/I:N/A:H 5. Change Log 2020-10-20 VMSA-2020-0023 Initial security advisory. 2020-11-04 VMSA-2020-0023.1 Updated patch versions in the response matrix of section (3a) after release of ESXi patches that completed the incomplete fix for CVE-2020-3992 on 2020-11-04. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX6Mab+NLKJtyKPYoAQhrKhAAjuTYrNFUiWsHUFvDVYz+U09nQPhGmU+C n4ILaJ6mdbBqyOaJimLHN+s7782ENa2xO/LO3aZQh9+IaJL8f3GvKl15ocXeYkDN 39woerACizrGZOe+OaT/Y0ru4K5+upD0PpsR6OHfXGiCubzvO2NQccLJ9dHiITaa wbKA3gyHFe8vA6EhkDbPpRn3nzlb6dkq6QDWmwEciBcBPysmJqh2iyVFrVoTHYxu SfONqhxmqqnT0QUeBIB5euMnfI0xQJW5rWqu8alyuDYNq87wbldaRYlsVEMLOvKC B4X23/CFrvKBwG9ggFk/OIsbrpKUQtGhMoWJtacmgwzKW39muPFo0Nd7sRznmfFj oeeze19Le2ZOAJJn0l0Nh4280Vkgftlmh+SmcRk4+blRagKoGG95LeMT868870dR L61GkwkzEfkMODY5joUon3C6KvjkUZatP7L/lSkyAuQie+WoBGOAjO8upOni3E1p MeBCdOQrT38Q5hxLeyjnAWEQtLEHq9oY5XU93in9XwYtJyWOEhWl4eSugG9GKMYk 8wwr4qSP4LimR6qNmsBXG9yBwNsk4y5LGixnCxWE6IJeERMfO4TDBWpZPjTQnQho WYkNJ5zYZOvrEtJ3l9LvH8/leAutxMtpYUnvo1aB9t/1fb/Z6ZdBismZ8V8ihWRY n4hkUj57ScE= =/qPg -----END PGP SIGNATURE-----