-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3598.2
VMSA-2020-0023 - VMware ESXi, Workstation, Fusion and NSX-T updates address
     multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982,
        CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995)
                              5 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware ESXi
                   VMware Workstation Pro / Player (Workstation)
                   VMware Fusion Pro / Fusion (Fusion)
                   NSX-T
                   VMware Cloud Foundation
Publisher:         VMware
Operating System:  Virtualisation
                   VMware ESX Server
                   Windows
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote with User Interaction
                   Denial of Service               -- Existing Account            
                   Provide Misleading Information  -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3995 CVE-2020-3994 CVE-2020-3993
                   CVE-2020-3992 CVE-2020-3982 CVE-2020-3981

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2020-0023.html

Revision History:  November  5 2020: Vendor updated patch version detail in response matrix of section (3a)
                   October  21 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Critical Advisory ID: VMSA-2020-0023.1
CVSSv3 Range: 5.9 - 9.8

Issue Date: 2020-10-20
Updated On: 2020-11-04

CVE(s): CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993,
CVE-2020-3994, CVE-2020-3995

Synopsis: VMware ESXi, Workstation, Fusion and NSX-T updates address multiple
security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992,
CVE-2020-3993, CVE-2020-3994, CVE-2020-3995)


1. Impacted Products

  o VMware ESXi
  o VMware Workstation Pro / Player (Workstation)
  o VMware Fusion Pro / Fusion (Fusion)
  o NSX-T
  o VMware Cloud Foundation
  o VMware vCenter Server


2. Introduction

IMPORTANT: The ESXi patches released on October 20, 2020 did not address
CVE-2020-3992 completely, see section (3a) Notes for an update.

Multiple vulnerabilities in VMware ESXi, Workstation, Fusion and NSX-T were
privately reported to VMware. Updates are available to remediate these
vulnerabilities in affected VMware products.


3a. ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)

Description

OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the
severity of this issue to be in the Critical severity range with a maximum
CVSSv3 base score of 9.8.

Known Attack Vectors

A malicious actor residing in the management network who has access to port 427
on an ESXi machine may be able to trigger a use-after-free in the OpenSLP
service resulting in remote code execution.

Resolution

To remediate CVE-2020-3992 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2020-3992 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Lucas Leong (@_wmliang_) of Trend Micro's Zero Day
Initiative for reporting this issue to us.

Notes

The ESXi patches released on October 20, 2020 did not address CVE-2020-3992
completely. The ESXi patches listed in the Response Matrix below are updated
versions that contain the complete fix for CVE-2020-3992. 

Response Matrix:

Product    Version Running CVE           CVSSv3 Severity Fixed Version        Workarounds Additional
                   On      Identifier                                                     Documentation
ESXi       7.0     Any     CVE-2020-3992 9.8    critical ESXi70U1a-17119627   KB76372     None
ESXi       6.7     Any     CVE-2020-3992 9.8    critical ESXi670-202011301-SG KB76372     None
ESXi       6.5     Any     CVE-2020-3992 9.8    critical ESXi650-202011401-SG KB76372     None
VMware
Cloud      4.x     Any     CVE-2020-3992 9.8    critical Patch pending        KB76372     None.
Foundation
(ESXi)
VMware
Cloud      3.x     Any     CVE-2020-3992 9.8    critical Patch Pending        KB76372     None
Foundation
(ESXi)


3b. NSX-T MITM vulnerability (CVE-2020-3993)

Description

VMware NSX-T contains a security vulnerability that exists in the way it allows
a KVM host to download and install packages from NSX manager. VMware has
evaluated the severity of this issue to be in the Important severity range with
a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with MITM positioning may be able to exploit this issue to
compromise the transport node.

Resolution

To remediate CVE-2020-3993 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Kevin Kelpen of ERNW Enno Rey Netzwerke GmbH for
reporting this issue to us.

Notes

None.

Response Matrix:

Product    Version Running CVE           CVSSv3 Severity  Fixed     Workarounds Additional
                   On      Identifier                     Version               Documentation
NSX-T      3.x     Any     CVE-2020-3993 7.5    important 3.0.2     None        None
NSX-T      2.5.x   Any     CVE-2020-3993 7.5    important 2.5.2.2.0 None        None
VMware
Cloud      4.x     Any     CVE-2020-3993 7.5    important 4.1       None        None.
Foundation
(NSX-T)
VMware
Cloud      3.x     Any     CVE-2020-3993 7.5    important 3.10.1.1  None.       None
Foundation
(NSX-T)


3c. TOCTOU out-of-bounds read vulnerability (CVE-2020-3981)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability
due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated
the severity of this issue to be in the Important severity range with a maximum
CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with administrative access to a virtual machine may be able
to exploit this issue to leak memory from the vmx process. 

Resolution

To remediate CVE-2020-3981 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Reno Robert working with Trend Micro's Zero Day
Initiative for reporting this issue to us.

Notes

None.


Response Matrix:

Product     Version Running CVE           CVSSv3 Severity  Fixed Version           Workarounds Additional
                    On      Identifier                                                         Documentation
ESXi        7.0     Any     CVE-2020-3981 7.1    important ESXi_7.0.1-0.0.16850804 None.       None
ESXi        6.7     Any     CVE-2020-3981 7.1    important ESXi670-202008101-SG    None        None
ESXi        6.5     Any     CVE-2020-3981 7.1    important ESXi650-202007101-SG    None        None
Fusion      12.x    OS X    CVE-2020-3981 N/A    N/A       Unaffected              N/A         N/A
Fusion      11.x    OS X    CVE-2020-3981 7.1    important 11.5.6                  None        None
Workstation 16.x    Any     CVE-2020-3981 N/A    N/A       Unaffected              N/A         N/A
Workstation 15.x    Any     CVE-2020-3981 7.1    important Patch pending           None        None
VMware
Cloud       4.x     Any     CVE-2020-3981 7.1    important 4.1                     None        None.
Foundation
(ESXi)
VMware
Cloud       3.x     Any     CVE-2020-3981 7.1    important 3.10.1                  None        None
Foundation
(ESXi)


3d. TOCTOU out-of-bounds write vulnerability (CVE-2020-3982)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds write
vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware
has evaluated the severity of this issue to be in the Moderate severity range
with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors

A malicious actor with administrative access to a virtual machine may be able
to exploit this vulnerability to crash the virtual machine's vmx process or
corrupt hypervisor's memory heap.

Resolution

To remediate CVE-2020-3982 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Reno Robert working with Trend Micro's Zero Day
Initiative for reporting this issue to us.

Notes

None.


Response Matrix:

Product     Version Running CVE           CVSSv3 Severity Fixed Version           Workarounds Additional
                    On      Identifier                                                        Documentation
ESXi        7.0     Any     CVE-2020-3982 5.9    moderate ESXi_7.0.1-0.0.16850804 None.       None
ESXi        6.7     Any     CVE-2020-3982 5.9    moderate ESXi670-202008101-SG    None        None
ESXi        6.5     Any     CVE-2020-3982 5.9    moderate ESXi650-202007101-SG    None        None
Fusion      12.x    OS X    CVE-2020-3982 N/A    N/A      Unaffected              N/A         N/A
Fusion      11.x    OS X    CVE-2020-3982 5.9    moderate 11.5.6                  None        None
Workstation 16.x    Any     CVE-2020-3982 N/A    N/A      Unaffected              N/A         N/A
Workstation 15.x    Any     CVE-2020-3982 5.9    moderate Patch pending           None        None
VMware
Cloud       4.x     Any     CVE-2020-3982 5.9    moderate 4.1                     None        None.
Foundation
(ESXi)
VMware
Cloud       3.x     Any     CVE-2020-3982 5.9    moderate 3.10.1                  None        None
Foundation
(ESXi)


3e. vCenter Server session hijack vulnerability in update function
(CVE-2020-3994)

Description

VMware vCenter Server contains a session hijack vulnerability in the vCenter
Server Appliance Management Interface update function due to a lack of
certificate validation. VMware has evaluated the severity of this issue to be
in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with network positioning between vCenter Server and an update
repository may be able to perform a session hijack when the vCenter Server
Appliance Management Interface is used to download vCenter updates.

Resolution

To remediate CVE-2020-3994 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Thorsten Tullmann, Karlsruhe Institute of
Technology, for reporting this issue to us.

Notes

None.

Response Matrix:

Product    Version Running   CVE           CVSSv3 Severity  Fixed      Workarounds Additional
                   On        Identifier                     Version                Documentation
vCenter    7.0     Any       CVE-2020-3994 N/A    N/A       Unaffected N/A         N/A
Server
vCenter    6.7     Virtual   CVE-2020-3994 7.5    important 6.7 U3     None        None
Server             Appliance
vCenter    6.7     Windows   CVE-2020-3994 N/A    N/A       Unaffected N/A         N/A
Server
vCenter    6.5     Virtual   CVE-2020-3994 7.5    important 6.5 U3K    None        None
Server             Appliance
vCenter    6.5     Windows   CVE-2020-3994 N/A    N/A       Unaffected N/A         N/A
Server
VMware
Cloud
Foundation 4.x     Any       CVE-2020-3994 N/A    N/A       Unaffected N/A         N/A
(vCenter
Server)
VMware
Cloud
Foundation 3.x     Any       CVE-2020-3994 7.5    important 3.9.0      None        None
(vCenter
Server)


3f. VMCI host driver memory leak vulnerability (CVE-2020-3995)

Description

The VMCI host drivers used by VMware hypervisors contain a memory leak
vulnerability. VMware has evaluated the severity of this issue to be in the 
Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with access to a virtual machine may be able to trigger a
memory leak issue resulting in memory resource exhaustion on the hypervisor if
the attack is sustained for extended periods of time.

Resolution

To remediate CVE-2020-3995 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Tianwen Tang (VictorV) for reporting this issue to
us.

Notes

None.

Response Matrix:

Product     Version Running CVE           CVSSv3 Severity  Fixed Version        Workarounds Additional
                    On      Identifier                                                      Documentation
ESXi        7.0     Any     CVE-2020-3995 N/A    N/A       Unaffected           N/A         N/A
ESXi        6.7     Any     CVE-2020-3995 7.1    important ESXi670-201908101-SG None        None
ESXi        6.5     Any     CVE-2020-3995 7.1    important ESXi650-201907101-SG None        None
Fusion      11.x    OS X    CVE-2020-3995 7.1    important 11.1.0               None        None
Workstation 15.x    Any     CVE-2020-3995 7.1    important 15.1.0               None        None
VMware
Cloud       4.x     Any     CVE-2020-3995 N/A    N/A       Unaffected           N/A         N/A
Foundation
(ESXi)
VMware
Cloud       3.x     Any     CVE-2020-3995 7.1    important 3.9.0                None        None
Foundation
(ESXi)


4. References

VMware ESXi 7.0 ESXi70U1a-17119627
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1a.html

VMware ESXi 6.7 ESXi670-202011301-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011001.html

VMware ESXi 6.5 ESXi650-202011401-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011001.html

VMware Workstation Pro 15.5.6 
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.6 
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.6 
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

VMware NSX-T 3.0.2
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-302&
productId=982&rPId=52624
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html

VMware NSX-T 2.5.2.2.0
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-2522&
productId=673&rPId=53876
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html

VMware vCenter Server 6.7u3
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC67U3&
productId=742&rPId=52126

VMware vCenter Server 6.5u3k
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K&
productId=614&rPId=50173

VMware vCloud Foundation 4.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/
VMware-Cloud-Foundation-41-Release-Notes.html

VMware vCloud Foundation 3.10.1.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/
VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.1

VMware vCloud Foundation 3.9
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VCF390&
productId=945&rPId=41516

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3992
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3993
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3995

FIRST CVSSv3 Calculator:
CVE-2020-3981 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2020-3982 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/
PR:N/UI:N/S:C/C:N/I:H/A:N
CVE-2020-3992 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-3993 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/
PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-3994 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/
PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-3995 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:N/UI:N/S:C/C:N/I:N/A:H

5. Change Log

2020-10-20 VMSA-2020-0023
Initial security advisory.

2020-11-04 VMSA-2020-0023.1
Updated patch versions in the response matrix of section (3a) after release of
ESXi patches that completed the incomplete fix for CVE-2020-3992 on 2020-11-04.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX6Mab+NLKJtyKPYoAQhrKhAAjuTYrNFUiWsHUFvDVYz+U09nQPhGmU+C
n4ILaJ6mdbBqyOaJimLHN+s7782ENa2xO/LO3aZQh9+IaJL8f3GvKl15ocXeYkDN
39woerACizrGZOe+OaT/Y0ru4K5+upD0PpsR6OHfXGiCubzvO2NQccLJ9dHiITaa
wbKA3gyHFe8vA6EhkDbPpRn3nzlb6dkq6QDWmwEciBcBPysmJqh2iyVFrVoTHYxu
SfONqhxmqqnT0QUeBIB5euMnfI0xQJW5rWqu8alyuDYNq87wbldaRYlsVEMLOvKC
B4X23/CFrvKBwG9ggFk/OIsbrpKUQtGhMoWJtacmgwzKW39muPFo0Nd7sRznmfFj
oeeze19Le2ZOAJJn0l0Nh4280Vkgftlmh+SmcRk4+blRagKoGG95LeMT868870dR
L61GkwkzEfkMODY5joUon3C6KvjkUZatP7L/lSkyAuQie+WoBGOAjO8upOni3E1p
MeBCdOQrT38Q5hxLeyjnAWEQtLEHq9oY5XU93in9XwYtJyWOEhWl4eSugG9GKMYk
8wwr4qSP4LimR6qNmsBXG9yBwNsk4y5LGixnCxWE6IJeERMfO4TDBWpZPjTQnQho
WYkNJ5zYZOvrEtJ3l9LvH8/leAutxMtpYUnvo1aB9t/1fb/Z6ZdBismZ8V8ihWRY
n4hkUj57ScE=
=/qPg
-----END PGP SIGNATURE-----