Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4160 VMSA-2020-0026 - VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities 24 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) VMware Cloud Foundation Publisher: VMWare Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-4005 CVE-2020-4004 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2020-0026.html - --------------------------BEGIN INCLUDED TEXT-------------------- Critical Advisory ID: VMSA-2020-0026 CVSSv3 Range: 8.8 - 9.3 Issue Date: 2020-11-19 Updated On: 2020-11-19 (Initial Advisory) CVE(s): CVE-2020-4004, CVE-2020-4005 Synopsis: VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005) 1. Impacted Products * VMware ESXi * VMware Workstation Pro / Player (Workstation) * VMware Fusion Pro / Fusion (Fusion) * VMware Cloud Foundation 2. Introduction Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004) Description VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3. Known Attack Vectors A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. Resolution To remediate CVE-2020-4004 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2020-4004 have been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Acknowledgements VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for reporting this issue to us. Notes None. Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation Remove XHCI ESXi 7.0 Any CVE-2020-4004 9.3 critical ESXi70U1b-17168206 (USB 3.x) None controller Remove XHCI ESXi 6.7 Any CVE-2020-4004 9.3 critical ESXi670-202011101-SG (USB 3.x) None controller Remove XHCI ESXi 6.5 Any CVE-2020-4004 9.3 critical ESXi650-202011301-SG (USB 3.x) None controller Fusion 12.x OS X CVE-2020-4004 N/A N/A Unaffected N/A N/A Remove XHCI Fusion 11.x OS X CVE-2020-4004 9.3 critical 11.5.7 (USB 3.x) None controller Workstation 16.x Any CVE-2020-4004 N/A N/A Unaffected N/A N/A Remove XHCI Workstation 15.x Any CVE-2020-4004 9.3 critical 15.5.7 (USB 3.x) None controller VMware Remove XHCI Cloud 4.x Any CVE-2020-4004 9.3 critical Patch Pending (USB 3.x) None. Foundation controller (ESXi) VMware Remove XHCI Cloud 3.x Any CVE-2020-4004 9.3 critical Patch Pending (USB 3.x) None Foundation controller (ESXi) 3b. VMX elevation-of-privilege vulnerability (CVE-2020-4005) Description VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. Known Attack Vectors A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability (e.g. CVE-2020-4004). Resolution To remediate CVE-2020-4005 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for reporting this issue to us. Notes None. Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation ESXi 7.0 Any CVE-2020-4005 8.8 important ESXi70U1b-17168206 None None ESXi 6.7 Any CVE-2020-4005 8.8 important ESXi670-202011101-SG None None ESXi 6.5 Any CVE-2020-4005 8.8 important ESXi650-202011301-SG None None VMware Cloud 4.x Any CVE-2020-4005 8.8 important Patch pending None None Foundation (ESXi) VMware Cloud 3.x Any CVE-2020-4005 8.8 important Patch Pending None None Foundation (ESXi) 4. References VMware ESXi 7.0 ESXi70U1b-17168206 Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1b.html VMware ESXi 6.7 ESXi670-202011101-SG Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011002.html VMware ESXi 6.5 ESXi650-202011301-SG Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011002.html VMware Workstation Pro 15.5.7 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 15.5.7 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion 11.5.7 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4004 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4005 FIRST CVSSv3 Calculator: CVE-2020-4004 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2020-4005 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:C/C:H/I:H/A:H 5. Change Log 2020-11-19 VMSA-2020-0026 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2020 VMware Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7yODeNLKJtyKPYoAQhhew//XkIp3hGou3TbEx4uqF41lj8JrSIVFFzZ alMWKj99n3G8PsO5FMbQNzK85nz8vmMEE8uEvZNyGle2KnFmyYu3twYqJm8fI85R ULXy0LaA6hCegBYL16qj/cSe25P1Te8Ty8xg/a/sa0Qj1Tc1cZ48z86ZORAODOGr sD2YQK3vpND0DUR0r4rnlzAwfjCeKAoFY2XYdOYafzd5j4Y5Sz061Rb3d+6rjq48 5dMzMLKrGgwW3iIEdZMMSmQNwNPRbNV37KQz3J+JaN9/gQgwH62bfKeMAJssoPbP +M5I5CGq8FDMimxyrJuupgCIxjS1EtufnWW5LgBZhjNE2HMzv5cH7GGIGIktYXCZ 1TfauzaiZPYHUFhqtfePqoupOPvjPniu9IBZGaqPne2IIjGO8Eg3qNGixkdqvQjO sDwt4Z7H10p1roqz5AjIEdy0GYBlqsksKtRiZ4VoAee8NzHAn3jcNm+ZWhA8cV5a b2L88ZZX+lrvguhu7qL53f96qmq8X3m4A1bfFOSLrKxpKwBi9z9ijYesZKWc5CLY OpfiTxbIhzqMcJ5N6FT0p5kXS+i2gNCu0siPtoiPz0qJWjJJWsSk8MMVLoiwvfJf N89MlFQ2QHscduWUwSg9fW/8BHXy3CFfQVcKJ6PH2nb6qGqwtOJ2AVz36LXCMh9O ztE9ilJv+Mw= =JKNS -----END PGP SIGNATURE-----