VMSA-2020-0026:VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities
23583
22 November 2020
17 November 2020
CLOSED
CRITICAL
8.8 - 9.3
CVE-2020-4004,CVE-2020-4005
1. Impacted Products
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Cloud Foundation (Cloud Foundation)
2. Introduction
Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
3a. Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004)
Description
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.
Known Attack Vectors
A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
Resolution
To remediate CVE-2020-4004 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2020-4004 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for reporting this issue to us.
Notes
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 7.0 | Any | CVE-2020-4004 | critical | ESXi70U1b-17168206 | None | ||
| ESXi | 6.7 | Any | CVE-2020-4004 | critical | ESXi670-202011101-SG | None | ||
| ESXi | 6.5 | Any | CVE-2020-4004 | critical | ESXi650-202011301-SG | None | ||
| Fusion | 12.x | OS X | CVE-2020-4004 | N/A | N/A | Unaffected | N/A | N/A |
| Fusion | 11.x | OS X | CVE-2020-4004 | critical | 11.5.7 | None | ||
| Workstation | 16.x | Any | CVE-2020-4004 | N/A | N/A | Unaffected | N/A | N/A |
| Workstation | 15.x | Any | CVE-2020-4004 | critical | 15.5.7 | None | ||
| VMware Cloud Foundation (ESXi) | 4.x | Any | CVE-2020-4004 | critical | 4.1.0.1 | None. | ||
| VMware Cloud Foundation (ESXi) | 3.x | Any | CVE-2020-4004 | critical | 3.10.1.2 | None |
3b. VMX elevation-of-privilege vulnerability (CVE-2020-4005)
Description
VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.
Known Attack Vectors
A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability (e.g. CVE-2020-4004).
Resolution
To remediate CVE-2020-4005 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for reporting this issue to us.
Notes
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 7.0 | Any | CVE-2020-4005 | important | ESXi70U1b-17168206 | None | None | |
| ESXi | 6.7 | Any | CVE-2020-4005 | important | ESXi670-202011101-SG | None | None | |
| ESXi | 6.5 | Any | CVE-2020-4005 | important | ESXi650-202011301-SG | None | None | |
| VMware Cloud Foundation (ESXi) | 4.x | Any | CVE-2020-4005 | important | 4.1.0.1 | None | None | |
| VMware Cloud Foundation (ESXi) | 3.x | Any | CVE-2020-4005 | important | 3.10.1.2 | None | None |
4. References
VMware ESXi 7.0 ESXi70U1b-17168206
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1b.html
VMware ESXi 6.7 ESXi670-202011101-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011002.html
VMware ESXi 6.5 ESXi650-202011301-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011002.html
VMware Workstation Pro 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware vCloud Foundation 4.1.0.1
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html#4.1.0.1
VMware vCloud Foundation 3.10.1.2
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.2
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4004
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4005
FIRST CVSSv3 Calculator:
CVE-2020-4004 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-4005 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
5. Change Log
2020-11-19 VMSA-2020-0026
Initial security advisory.
2020-11-24 VMSA-2020-0026.1
Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of sections 3(a) and 3(b).
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2020 VMware Inc. All rights reserved.