Support Content Notification - Support Portal

VMSA-2020-0004:VMware Horizon Client, VMRC, VMware Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities

Product/Component

VMware

2 more products

Notification Id

23571

Last Updated

12 March 2020

Initial Publication Date

16 February 2020

Status

CLOSED

Severity

CRITICAL

CVSS Base Score

7.3-9.3

WorkAround

Affected CVE

CVE-2019-5543,CVE-2020-3947,CVE-2020-3948

Advisory ID: VMSA-2020-0004.1

CVSSv3 Range: 7.3-9.3

Issue Date:2020-03-12

Updated On: 2020-03-14

CVE(s): CVE-2019-5543, CVE-2020-3947 , CVE-2020-3948

Synopsis: VMware Horizon Client, VMRC, VMware Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2019-5543, CVE-2020-3947, CVE-2020-3948)

1. Impacted Products

VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows
VMware Remote Console for Windows (VMRC for Windows)

2. Introduction

VMware Horizon Client, VMRC, VMware Workstation and Fusion contain use-after-free and privilege escalation vulnerabilities. Patches are available to remediate these vulnerabilities in affected VMware products.

3a. Use-after-free vulnerability in vmnetdhcp (CVE-2020-3947)

Description

VMware Workstation and Fusion contain a use-after vulnerability in vmnetdhcp.VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors

Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine.

Resolution

To remediate CVE-2020-3947, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Anonymous working with Trend Micro Zero Day Initiative for reporting this issue to us.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
Workstation	15.x	Any	CVE-2020-3947	9.3	critical	15.5.2	None	None
Fusion	11.x	OS X	CVE-2020-3947	9.3	critical	11.5.2	None	None

3b. Local Privilege escalation vulnerability in Cortado Thinprint (CVE-2020-3948)

Description

Linux Guest VMs running on VMware Workstation and Fusion contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Exploitation is only possible if virtual printing is enabled in the Guest VM. Virtual printing is not enabled by default on Workstation and Fusion.

Known Attack Vectors

Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM.

Resolution

To remediate CVE-2020-3948, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below and uninstall and reinstall VMware Virtual Printer for each VM.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
Workstation	15.x	Any	CVE-2020-3948	7.8	important	15.5.2	None	None
Fusion	11.x	OS X	CVE-2020-3948	7.8	important	11.5.2	None	None

3c. VMware Horizon Client, VMRC and Workstation privilege escalation vulnerability (CVE-2019-5543)

Description

For VMware Horizon Client for Windows, VMRC for Windows and Workstation for Windows the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

Known Attack Vectors

A local user on the system where the software is installed may exploit this issue to run commands as any user.

Resolution

To remediate CVE-2019-5543 update to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Lasse Trolle Borup of Danish Cyber Defence for reporting this issue to us.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
Horizon Client for Windows	5.x and prior	Windows	CVE-2019-5543	7.3	important	5.3.0	None	None
VMRC for Windows	10.x	Windows	CVE-2019-5543	7.3	important	11.0.0	None	None
Workstation for Windows	15.x	Windows	CVE-2019-5543	7.3	important	15.5.2	None	None

4. References

Fixed Version(s) and Release Notes:

VMware Workstation Pro 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer

https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadfusion

https://docs.vmware.com/en/VMware-Fusion/index.html

VMware Horizon Client for Windows 5.3.0

Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=CART20FQ4_WIN_530&productId=863

https://docs.vmware.com/en/VMware-Horizon-Client/index.html

VMware Remote Console for Windows 11.0.0

Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1100&productId=742

https://docs.vmware.com/en/VMware-Remote-Console/index.html

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5543

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3947

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3948

FIRST CVSSv3 Calculator:

CVE-2019-5543-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2020-3947-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2020-3948-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

5. Change Log

2020-03-12: VMSA-2020-0004
Initial security advisory in conjunction with the release of Workstation 15.5.2 and Fusion 11.5.2.

2020-03-14: VMSA-2020-0004.1

Clarified that the issue is present if virtual printing is enabled and that VMware Virtual Printer must be reinstalled to remediate the issue.

6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:
[email protected]
[email protected]
[email protected]

E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
https://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC