VMSA-2020-0017:VMware Fusion, VMware Remote Console and Horizon Client updates address a privilege escalation vulnerability
1. Impacted Products
- VMware Fusion Pro / Fusion (Fusion)
- VMware Remote Console for Mac (VMRC for Mac)
- VMware Horizon Client for Mac
2. Introduction
A privilege escalation vulnerability in VMware Fusion, VMRC for Mac and Horizon Client for Mac was privately reported to VMware. Updates are available to address this vulnerability.
3. XPC Client validation privilege escalation vulnerability (CVE-2020-3974)
Description
VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a privilege escalation vulnerability due to improper XPC Client validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
Known Attack Vectors
Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC for Mac or Horizon Client for Mac is installed.
Resolution
To remediate CVE-2020-3974, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Cees Elzinga of Danish Cyber Defence and Csaba Fitzl (@theevilbit) for independently reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Fusion | 11.x | OS X | CVE-2020-3974 | important | 11.5.5 | None | None | |
| VMRC for Mac | 11.x and prior | OS X | CVE-2020-3974 | important | 11.2.0 | None | None | |
| Horizon Client for Mac | 5.x and prior | OS X | CVE-2020-3974 | important | 5.4.3 | None | None |
4. References
Fixed Version(s) and Release Notes:
VMware Fusion 11.5.5
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware Horizon Client for Mac 5.4.3
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Horizon-Client/index.html
VMware Remote Console for Mac 11.2.0
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VMRC1120&productId=974
https://docs.vmware.com/en/VMware-Remote-Console/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3974
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5. Change Log
2020-07-09: VMSA-2020-0017 Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
[email protected]
[email protected]
[email protected]
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2020 VMware Inc. All rights reserved.