VMware Security Announcement VMSA-2020-0011

Today VMware released VMSA-2020-0011. This affects VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon Client and addresses multiple security vulnerabilities(CVE-2020-3957, CVE-2020-3958, CVE-2020-3959). Patch download links are provided at the bottom of the post, along with release notes.

Impacted Products
  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Remote Console for Mac (VMRC for Mac)
  • VMware Horizon Client for Mac
Introduction
Multiple security vulnerabilities in VMware ESXi, Workstation, Fusion, VMRC and Horizon Client were privately reported to VMware. Patches and workarounds are available to remediate or workaround these vulnerabilities in affected VMware products.

Service opener - Time-of-check Time-of-use (TOCTOU) issue (CVE-2020-3957)

Description:

VMware Fusion, VMRC and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOCTOU) issue in the service opener. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.


Known Attack Vectors:

Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC and Horizon Client are installed.

Resolution:

To remediate this install version 11.5.5 of VMware Fusion. Patches are pending release for VMRC for Mac and the Horizon Client for Mac. I will update this post when the patches release. Currently there are no workarounds for CVE-2020-3957) Download links will be provided in this post.

Denial-of-service vulnerability in Shader functionality (CVE-2020-3958)

Description:

VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.0.

Known Attack Vectors:

Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

Successful exploitation of this issue may allow attackers with non-administrative access to a virtual machine to crash the virtual machine's vmx process leading to a denial of service condition.

Resolution:

ESXi 7.0 is not affected by this CVE.

To remediate ESXi 6.7 install patch ESXi670-202004101-SG. For a workaround in ESXi 6.7 see item number 34 in the VMware ESXi Security Guide.

To remediate ESXi 6.5 install patch ESXi650-202005401-SG. For a workaround in ESXi 6.5 see item number 34 in the VMware ESXi Security Guide.

To remediate Workstation 15.x, install version 15.5.2. There is a workaround provided in KB59146

Workaround Details

1. Shutdown the virtual machine.
2. Select the virtual machine and select VM > Settings.
3. On the Hardware tab, select Display.
4. Uncheck Accelerate 3D graphics.
5. Click OK.

To remediate VMware Fusion 11.x, install version 11.5.2. There is a workaround provided in KB59146

Workaround Details

1. Shutdown the Virtual Machine.
2. From the VMware Fusion menu bar, select Window>Virtual Machine Library.
3. Select a virtual machine and click Settings.
4. In the Settings Window, in the System Settings section, select Display.
5. Uncheck Accelerate 3D graphics

Memory leak vulnerability in VMCI module (CVE-2020-3959)

Description:

VMware ESXi, Workstation and Fusion contain a memory leak vulnerability in the VMCI module. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.3.

Known Attack Vectors:

A malicious actor with local non-administrative access to a virtual machine may be able to crash the virtual machine's vmx process leading to a partial denial of service.

Resolution:

ESXi 7.0 is not affected by this CVE.

To remediate ESXi 6.7 install patch ESXi670-202004101-SG, There are no workarounds published for this CVE

To remediate ESXi 6.5 install patch ESXi650-202005401-SG, There are no workarounds published for this CVE

To remediate Workstation 15.x, install version 15.1, There are no workarounds published for this CVE

To remediate VMware Fusion 11.x, install version 11.1, There are no workarounds published for this CVE

Fixed Version(s) and Release Notes:

VMware ESXi 6.7 ESXi670-202004101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202004002.html


VMware ESXi 6.5 ESXi650-202005401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202005001.html

VMware Workstation Pro 15.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation

https://docs.vmware.com/en/VMware-Workstation-Pro/index.html


VMware Workstation Player 15.5.2

Downloads and Documentation:

https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.5 (Latest)
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

Thanks for reading!