VMSA-2020-0011:VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon Client updates address multiple security vulnerabilities
23578
07 July 2020
17 May 2020
CLOSED
HIGH
3.3-7.3
CVE-2020-3957,CVE-2020-3958,CVE-2020-3959
1. Impacted Products
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Remote Console for Mac (VMRC for Mac)
- VMware Horizon Client for Mac
2. Introduction
Multiple security vulnerabilities in VMware ESXi, Workstation, Fusion, VMRC for Mac and Horizon Client for Mac were privately reported to VMware. Patches and workarounds are available to remediate or workaround these vulnerabilities in affected VMware products
3a. Service opener - Time-of-check Time-of-use (TOCTOU) issue (CVE-2020-3957)
Description
VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOCTOU) issue in the service opener. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.
Known Attack Vectors
Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC for Mac or Horizon Client for Mac is installed.
Resolution
To remediate CVE-2020-3957 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Rich Mirch of TeamARES from Critical Start Inc. and Jeffball of GRIMM for independently reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Fusion | 11.x | OS X | CVE-2020-3957 | important | 11.5.5 | None | None | |
| VMRC for Mac | 11.x and prior | OS X | CVE-2020-3957 | important | 11.2.0 | None | None | |
| Horizon Client for Mac | 5.x and prior | OS X | CVE-2020-3957 | important | 5.4.3 | None | None |
3b. Denial-of-service vulnerability in Shader functionality (CVE-2020-3958)
Description
VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.0
Known Attack Vectors
Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.
Successful exploitation of this issue may allow attackers with non-administrative access to a virtual machine to crash the virtual machine's vmx process leading to a denial of service condition.
Resolution
To remediate CVE-2020-3958 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2020-3958 have been been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.
Notes
None.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 7.0 | Any | CVE-2020-3958 | N/A | N/A | Unaffected | N/A | N/A |
| ESXi | 6.7 | Any | CVE-2020-3958 | moderate | ESXi670-202004101-SG | None | ||
| ESXi | 6.5 | Any | CVE-2020-3958 | moderate | ESXi650-202005401-SG | None | ||
| Workstation | 15.x | Any | CVE-2020-3958 | moderate | 15.5.2 | None | ||
| Fusion | 11.x | OS X | CVE-2020-3958 | moderate | 11.5.2 | None |
3c. Memory leak vulnerability in VMCI module (CVE-2020-3959)
Description
VMware ESXi, Workstation and Fusion contain a memory leak vulnerability in the VMCI module. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.3.
Known Attack Vectors
A malicious actor with local non-administrative access to a virtual machine may be able to crash the virtual machine's vmx process leading to a partial denial of service.
Resolution
To remediate CVE-2020-3959 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Tianwen Tang(VictorV) of Qihoo 360Vulcan Team working with 360 BugCloud for reporting this issue to us.
Notes
None.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 7.0 | Any | CVE-2020-3959 | N/A | N/A | Unaffected | N/A | N/A |
| ESXi | 6.7 | Any | CVE-2020-3959 | low | ESXi670-202004101-SG | None | None | |
| ESXi | 6.5 | Any | CVE-2020-3959 | low | ESXi650-202005401-SG | None | None | |
| Workstation | 15.x | Any | CVE-2020-3959 | moderate | 15.1.0 | None | None | |
| Fusion | 11.x | OS X | CVE-2020-3959 | low | 11.1.0 | None | None |
4. References
Fixed Version(s) and Release Notes:
VMware ESXi 6.7 ESXi670-202004101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202004002.html
VMware ESXi 6.5 ESXi650-202005401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202005001.html
VMware Workstation Pro 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.5 (Latest)
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware Horizon Client for Mac 5.4.3
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html
VMware Remote Console for Mac 11.2.0
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VMRC1120&productId=974
https://docs.vmware.com/en/VMware-Remote-Console/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3959
FIRST CVSSv3 Calculator:
CVE-2020-3957-
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVE-2020-3958-
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2020-3959 -
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
5. Change Log
2020-05-28: VMSA-2020-0011 - Initial security advisory.
2020-07-09: VMSA-2020-0011.1 - Updated security advisory to add fixed versions of VMRC for Mac and Horizon Client for Mac - Issue 3(a).
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2020 VMware Inc. All rights reserved.