VMSA-2020-0023:VMware ESXi, Workstation, Fusion and NSX-T updates address multiple security vulnerabilities
23590
22 November 2020
18 October 2020
CLOSED
CRITICAL
5.9 - 9.8
CVE-2020-3981,CVE-2020-3982,CVE-2020-3992,CVE-2020-3993,CVE-2020-3994,CVE-2020-3995
1. Impacted Products
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- NSX-T Data Center
- VMware Cloud Foundation (Cloud Foundation)
- VMware vCenter Server (vCenter Server)
2. Introduction
IMPORTANT: The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely, see section (3a) Notes for an update.
Multiple vulnerabilities in VMware ESXi, Workstation, Fusion and NSX-T were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
3a. ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)
Description
OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
Resolution
To remediate CVE-2020-3992 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2020-3992 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Lucas Leong (@_wmliang_) of Trend Micro's Zero Day Initiative for reporting this issue to us.
Notes
The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely. The ESXi patches listed in the Response Matrix below are updated versions that contain the complete fix for CVE-2020-3992.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 7.0 | Any | CVE-2020-3992 | critical | ESXi70U1a-17119627 | None | ||
| ESXi | 6.7 | Any | CVE-2020-3992 | critical | ESXi670-202011301-SG | None | ||
| ESXi | 6.5 | Any | CVE-2020-3992 | critical | ESXi650-202011401-SG | None | ||
| VMware Cloud Foundation (ESXi) | 4.x | Any | CVE-2020-3992 | critical | 4.1.0.1 | None. | ||
| VMware Cloud Foundation (ESXi) | 3.x | Any | CVE-2020-3992 | critical | 3.10.1.2 | None |
3b. NSX-T MITM vulnerability (CVE-2020-3993)
Description
VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors
A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.
Resolution
To remediate CVE-2020-3993 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Kevin Kelpen of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.
Notes
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| NSX-T | 3.x | Any | CVE-2020-3993 | important | 3.0.2 | None | None | |
| NSX-T | 2.5.x | Any | CVE-2020-3993 | important | 2.5.2.2.0 | None | None | |
| VMware Cloud Foundation (NSX-T) | 4.x | Any | CVE-2020-3993 | important | 4.1 | None | None. | |
| VMware Cloud Foundation (NSX-T) | 3.x | Any | CVE-2020-3993 | important | 3.10.1.1 | None. | None |
3c. TOCTOU out-of-bounds read vulnerability (CVE-2020-3981)
Description
VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors
A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.
Resolution
To remediate CVE-2020-3981 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Reno Robert working with Trend Micro's Zero Day Initiative for reporting this issue to us.
Notes
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 7.0 | Any | CVE-2020-3981 | important | ESXi_7.0.1-0.0.16850804 | None. | None | |
| ESXi | 6.7 | Any | CVE-2020-3981 | important | ESXi670-202008101-SG | None | None | |
| ESXi | 6.5 | Any | CVE-2020-3981 | important | ESXi650-202007101-SG | None | None | |
| Fusion | 12.x | OS X | CVE-2020-3981 | N/A | N/A | Unaffected | N/A | N/A |
| Fusion | 11.x | OS X | CVE-2020-3981 | important | 11.5.6 | None | None | |
| Workstation | 16.x | Any | CVE-2020-3981 | N/A | N/A | Unaffected | N/A | N/A |
| Workstation | 15.x | Any | CVE-2020-3981 | important | 15.5.7 | None | None | |
| VMware Cloud Foundation (ESXi) | 4.x | Any | CVE-2020-3981 | important | 4.1 | None | None. | |
| VMware Cloud Foundation (ESXi) | 3.x | Any | CVE-2020-3981 | important | 3.10.1 | None | None |
3d. TOCTOU out-of-bounds write vulnerability (CVE-2020-3982)
Description
VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.
Known Attack Vectors
A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine's vmx process or corrupt hypervisor's memory heap.
Resolution
To remediate CVE-2020-3982 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Reno Robert working with Trend Micro's Zero Day Initiative for reporting this issue to us.
Notes
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 7.0 | Any | CVE-2020-3982 | moderate | ESXi_7.0.1-0.0.16850804 | None. | None | |
| ESXi | 6.7 | Any | CVE-2020-3982 | moderate | ESXi670-202008101-SG | None | None | |
| ESXi | 6.5 | Any | CVE-2020-3982 | moderate | ESXi650-202007101-SG | None | None | |
| Fusion | 12.x | OS X | CVE-2020-3982 | N/A | N/A | Unaffected | N/A | N/A |
| Fusion | 11.x | OS X | CVE-2020-3982 | moderate | 11.5.6 | None | None | |
| Workstation | 16.x | Any | CVE-2020-3982 | N/A | N/A | Unaffected | N/A | N/A |
| Workstation | 15.x | Any | CVE-2020-3982 | moderate | 15.5.7 | None | None | |
| VMware Cloud Foundation (ESXi) | 4.x | Any | CVE-2020-3982 | moderate | 4.1 | None | None. | |
| VMware Cloud Foundation (ESXi) | 3.x | Any | CVE-2020-3982 | moderate | 3.10.1 | None | None |
3e. vCenter Server session hijack vulnerability in update function (CVE-2020-3994)
Description
VMware vCenter Server contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors
A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.
Resolution
To remediate CVE-2020-3994 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Thorsten Tüllmann, Karlsruhe Institute of Technology, for reporting this issue to us.
Notes
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vCenter Server | 7.0 | Any | CVE-2020-3994 | N/A | N/A | Unaffected | N/A | N/A |
| vCenter Server | 6.7 | Virtual Appliance | CVE-2020-3994 | important | 6.7 U3 | None | None | |
| vCenter Server | 6.7 | Windows | CVE-2020-3994 | N/A | N/A | Unaffected | N/A | N/A |
| vCenter Server | 6.5 | Virtual Appliance | CVE-2020-3994 | important | 6.5 U3K | None | None | |
| vCenter Server | 6.5 | Windows | CVE-2020-3994 | N/A | N/A | Unaffected | N/A | N/A |
| VMware Cloud Foundation (vCenter Server) | 4.x | Any | CVE-2020-3994 | N/A | N/A | Unaffected | N/A | N/A |
| VMware Cloud Foundation (vCenter Server) | 3.x | Any | CVE-2020-3994 | important | 3.9.0 | None | None |
3f. VMCI host driver memory leak vulnerability (CVE-2020-3995)
Description
The VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors
A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.
Resolution
To remediate CVE-2020-3995 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Tianwen Tang (VictorV) for reporting this issue to us.
Notes
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 7.0 | Any | CVE-2020-3995 | N/A | N/A | Unaffected | N/A | N/A |
| ESXi | 6.7 | Any | CVE-2020-3995 | important | ESXi670-201908101-SG | None | None | |
| ESXi | 6.5 | Any | CVE-2020-3995 | important | ESXi650-201907101-SG | None | None | |
| Fusion | 11.x | OS X | CVE-2020-3995 | important | 11.1.0 | None | None | |
| Workstation | 15.x | Any | CVE-2020-3995 | important | 15.1.0 | None | None | |
| VMware Cloud Foundation (ESXi) | 4.x | Any | CVE-2020-3995 | N/A | N/A | Unaffected | N/A | N/A |
| VMware Cloud Foundation (ESXi) | 3.x | Any | CVE-2020-3995 | important | 3.9.0 | None | None |
4. References
VMware ESXi 7.0 ESXi70U1a-17119627
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1a.html
VMware ESXi 6.7 ESXi670-202011301-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011001.html
VMware ESXi 6.5 ESXi650-202011401-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011001.html
VMware Workstation Pro 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.6
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware NSX-T 3.0.2
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-302&productId=982&rPId=52624
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html
VMware NSX-T 2.5.2.2.0
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-2522&productId=673&rPId=53876
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html
VMware vCenter Server 6.7u3
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC67U3&productId=742&rPId=52126
VMware vCenter Server 6.5u3k
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K&productId=614&rPId=50173
VMware vCloud Foundation 4.1.0.1
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html#4.1.0.1
VMware vCloud Foundation 3.10.1.2
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.2
VMware vCloud Foundation 4.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html
VMware vCloud Foundation 3.10.1.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.1
VMware vCloud Foundation 3.9
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VCF390&productId=945&rPId=41516
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3992
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3993
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3995
FIRST CVSSv3 Calculator:
CVE-2020-3981 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2020-3982 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
CVE-2020-3992 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-3993 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-3994 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-3995 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
5. Change Log
2020-10-20 VMSA-2020-0023
Initial security advisory.
2020-11-04 VMSA-2020-0023.1
Updated patch versions in the response matrix of section (3a) after release of ESXi patches that completed the incomplete fix for CVE-2020-3992 on 2020-11-04.
2020-11-19: VMSA-2020-0023.2
Updated security advisory to add Workstation 15.x version in the response matrix of sections 3(c) and 3(d).
2020-11-24 VMSA-2020-0023.3
Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of section 3(a).
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2020 VMware Inc. All rights reserved.