VMware Security Announcement VMSA-2020-0012

Today VMware released VMSA-2020-0012. This affects VMware ESXi, Workstation and Fusion. The updates address out-of-bounds read vulnerability (CVE-2020-3960)

Impacted Products
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
Introduction

An out-of-bounds read vulnerability affecting VMware hypervisors was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

VMware ESXi, Workstation and Fusion out-of-bounds read vulnerability (CVE-2020-3960)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability in NVMe functionality. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vendors

A malicious actor with local non-administrative access to a virtual machine may be able to read privileged information contained in memory.

Resolution

To remediate CVE-2020-3960 apply the patches listed below;

ESXi 7.0 is not affected by this CVE

To remediate ESXi 6.7 install patch ESXi670-202006401-SG. There are currently no workarounds other than the patch. Download links will be provided below.

To remediate ESXi 6.5 install patch ESXi650-202005401-SG. There are currently no workarounds other than the patch. Download links will be provided below.

To remediate Workstation 15.x install patch 15.5.5. There are currently no workarounds other than the patch. Download links will be provided below.

To remediate Fusion 11.x install patch 11.5.5. There are currently no workarounds other than the patch. Download links will be provided below.

Here is a link to the official Avvisory fro VMware; https://www.vmware.com/security/advisories/VMSA-2020-0012.html

References and Downloads

ESXi 6.7 Patch ESXi670-202006401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202006001.html#esxi670-202006401-sg-resolved

ESXi 6.5 Patch ESXi650-202005401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202005001.html#esxi650-202005401-sg-resolved

VMware Workstation Pro 15.5.5
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Fusion 11.5.5
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

Thanks