VMware Security Announcement VMSA-2020-0004

VMSA-2020-0004 Was released this week. This affects VMware Horizon Client, VMRC, VMware Workstation and Fusion. Updates to these address use-after-free and privilege escalation vulnerabilities (CVE-2019-5543, CVE-2020-3947, CVE-2020-3948).

Impacted Products:

    VMwareWorkstation Pro / Player (Workstation)

    VMwareFusion Pro / Fusion (Fusion)

    VMwareHorizon Client for Windows

    VMwareRemote Console for Windows (VMRC for Windows)

Use-after-free vulnerability in vmnetdhcp (CVE-2020-3947)

VMware Workstation and Fusion contain a use-after vulnerability in vmnetdhcp.VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

To mitigate this install Version 15.5.2 of VMware workstation or Version 11.5.2 of VMware Fusion.

Local Privilege escalation vulnerability in Cortado Thinprint (CVE-2020-3948)

Linux Guest VMs running on VMware Workstation and Fusion contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Exploitation is only possible if virtual printing is enabled in the Guest VM. Virtual printing is not enabled by default on Workstation and Fusion.

To mitigate this install Version 15.5.2 of VMware workstation or Version 11.5.2 of VMware Fusion.

VMware Horizon Client, VMRC and Workstation privilege escalation vulnerability (CVE-2019-5543)

For VMware Horizon Client for Windows, VMRC for Windows and Workstation for Windows the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

To mitigate this install version 5.3.0 of the Horizon Client for Windows, version 11.0.0 of VMRC for Windows, or version 15.5.2 of VMware Workstation for Windows.

Release notes and download links

VMware Workstation Pro 15.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation

https://docs.vmware.com/en/VMware-Workstation-Pro/index.html


VMware Workstation Player 15.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.2
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

VMware Horizon Client for Windows 5.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=CART20FQ4_WIN_530&productId=863
https://docs.vmware.com/en/VMware-Horizon-Client/index.html

VMware Remote Console for Windows 11.0.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1100&productId=742
https://docs.vmware.com/en/VMware-Remote-Console/index.html

Link to the Official advisior from VMware;

https://www.vmware.com/security/advisories/VMSA-2020-0004.html