VMSA-2020-0005:VMware Workstation, Fusion, VMware Remote Console and Horizon Client updates address privilege escalation and denial-of-service vulnerabilities
23572
22 March 2020
10 March 2020
CLOSED
HIGH
3.2-7.3
CVE-2020-3950,CVE-2020-3951
1. Impacted Products
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Remote Console for Mac (VMRC for Mac)
- VMware Horizon Client for Mac
- VMware Horizon Client for Windows
2. Introduction
VMware Workstation, Fusion, VMware Remote Console and Horizon Client updates address privilege escalation and denial-of-service vulnerabilities. Patches are available to remediate these vulnerabilities in affected VMware products.
3a. Privilege escalation vulnerability via setuid binaries (CVE-2020-3950 )
Description
VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a privilege escalation vulnerability due to improper use of setuid binaries. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.
Known Attack Vectors
Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.
Resolution
To remediate CVE-2020-3950, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Jeffball of GRIMM and Rich Mirch for independently reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Fusion | 11.x | OS X | CVE-2020-3950 | important | 11.5.3 | None | None | |
| VMRC for Mac | 11.x and prior | OS X | CVE-2020-3950 | important | 11.0.1 | None | None | |
| Horizon Client for Mac | 5.x and prior | OS X | CVE-2020-3950 | important | 5.4.0 | None | None |
3b. Denial of service vulnerability in Cortado Thinprint (CVE-2020-3951)
Description
VMware Workstation and Horizon Client for Windows contain a denial-of-service vulnerability due to a heap-overflow issue in Cortado Thinprint. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.2.
Known Attack Vectors
Attackers with non-administrative access to a guest VM with virtual printing enabled may exploit this issue to create a denial-of-service condition of the Thinprint service running on the system where Workstation or Horizon Client is installed.
Resolution
To remediate CVE-2020-3951, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.
Acknowledgements
VMware would like to thank Dhanesh Kizhakkinan of FireEye Inc. for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Workstation | 15.x | Windows | CVE-2020-3951 | low | 15.5.2 | None | None | |
| Workstation | 15.x | Linux | CVE-2020-3951 | N/A | N/A | Not affected | N/A | N/A |
| Horizon Client for Windows | 5.x and prior | Windows | CVE-2020-3951 | low | 5.4.0 | None | None |
4. References
Fixed Version(s) and Release Notes:
VMware Workstation Pro 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.3
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware Horizon Client 5.4.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html
VMware Remote Console 11.0.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1101&productId=742
https://docs.vmware.com/en/VMware-Remote-Console/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3950
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3951
FIRST CVSSv3 Calculator:
CVE-2020-3950-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVE-2020-3951-https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L
5. Change Log
2020-03-17: VMSA-2020-0005
Initial security advisory in conjunction with the release of VMware Remote Console 11.0.1 and Horizon Client 5.4.0.
2020-03-18: VMSA-2020-0005.1
Updated security advisory with additional instructions found in KB78294 which must be applied after updating to Fusion 11.5.2 to remediate CVE-2020-3950.
2020-03-24: VMSA-2020-0005.2
Updated security advisory to add Fusion 11.5.3 in 'Fixed Version' which has a complete fix for CVE-2020-3950.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
[email protected]
[email protected]
[email protected]
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2020 VMware Inc. All rights reserved.