VMware Security Announcement VMSA-2020-0015, Critical Alert

Today VMware released a new Critical Alert VMSA-2020-0015. This Critical alert addresses several vulnerabilities in VMware ESXi, Workstation, and Fusion. (CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971)

Impacted Products
  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Cloud Foundation
Introduction

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products as well as workarounds.

Use-after-free vulnerability in SVGA device (CVE-2020-3962)

Description

VMware ESXi, Workstation and Fusion contain a Use-after-free vulnerability in the SVGA device. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors

A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine.

Resolution

For ESXi 7.0, Apply patch ESXi_7.0.0-1.20.16321839. Download links will be provided in the downloads section.

For ESXi 6.7, Apply patch ESXi670-202004101-SG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-202005401-SG. Download links will be provided in the downloads section.

For Fusion, Apply patch 11.5.5. Download links will be provided in the downloads section.

For Workstation, Apply patch 15.5.5. Download links will be provided in the downloads section.

For VMware Cloud Foundation 4.x, release 4.0.1 pending that will address this issue.

For VMware Cloud Foundation 3.x, apply patch 3.10

Workarounds

For all ESXi Versions, and VMware Cloud Foundation version 3.x and 4.x. See item 34 in the Security Configuration guide. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6-5-update-1-security-configuration-guide.xlsx

For Workstation and Fusion, see KB59146 . https://kb.vmware.com/s/article/59146

For Fusion:
1. Shutdown the Virtual Machine.
2. From the VMware Fusion menu bar, select Window>Virtual Machine Library.
3. Select a virtual machine and click Settings.
4. In the Settings Window, in the System Settings section, select Display.
5. Uncheck Accelerate 3D graphics.

For Workstation:
1. Shutdown the virtual machine.
2. Select the virtual machine and select VM > Settings.
3. On the Hardware tab, select Display.
4. Uncheck Accelerate 3D graphics.
5. Click OK.

Notes

3D graphics are not enabled by default on ESXi.
3D graphics are enabled by default on Workstation and Fusion.

Off-by-one heap-overflow vulnerability in SVGA device (CVE-2020-3969)

Description

VMware ESXi, Workstation and Fusion contain an off-by-one heap-overflow vulnerability in the SVGA device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.

Resolution

For ESXi 7.0, Apply patch ESXi_7.0.0-1.20.16321839. Download links will be provided in the downloads section.

For ESXi 6.7, Apply patch ESXi670-202004101-SG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-202005401-SG. Download links will be provided in the downloads section.

For Fusion, Apply patch 11.5.5. Download links will be provided in the downloads section.

For Workstation, Apply patch 15.5.5. Download links will be provided in the downloads section.

For VMware Cloud Foundation 4.x, release 4.0.1 pending that will address this issue.

For VMware Cloud Foundation 3.x, apply patch 3.10

Workarounds

For all ESXi Versions, and VMware Cloud Foundation version 3.x and 4.x. See item 34 in the Security Configuration guide. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6-5-update-1-security-configuration-guide.xlsx

For Workstation and Fusion, see KB59146 . https://kb.vmware.com/s/article/59146

For Fusion:
1. Shutdown the Virtual Machine.
2. From the VMware Fusion menu bar, select Window>Virtual Machine Library.
3. Select a virtual machine and click Settings.
4. In the Settings Window, in the System Settings section, select Display.
5. Uncheck Accelerate 3D graphics.

For Workstation:
1. Shutdown the virtual machine.
2. Select the virtual machine and select VM > Settings.
3. On the Hardware tab, select Display.
4. Uncheck Accelerate 3D graphics.
5. Click OK.

Notes

3D graphics are not enabled by default on ESXi.
3D graphics are enabled by default on Workstation and Fusion.
CVE-2020-3969 does not affect the ESXi 6.7 or 6.5 release lines.

Out-of-bound read issue in Shader Functionality (CVE-2020-3970)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability in the Shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.0.

Known Attack Vectors

A malicious actor with non-administrative local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to crash the virtual machine's vmx process leading to a partial denial of service condition.

Resolution

For ESXi 7.0, Apply patch ESXi_7.0.0-1.20.16321839. Download links will be provided in the downloads section.

For ESXi 6.7, Apply patch ESXi670-202004101-SG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-202005401-SG. Download links will be provided in the downloads section.

For Fusion, Apply patch 11.5.5. Download links will be provided in the downloads section.

For Workstation, Apply patch 15.5.5. Download links will be provided in the downloads section.

For VMware Cloud Foundation 4.x, release 4.0.1 pending that will address this issue.

For VMware Cloud Foundation 3.x, apply patch 3.10

Workarounds

For all ESXi Versions, and VMware Cloud Foundation version 3.x and 4.x. See item 34 in the Security Configuration guide. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6-5-update-1-security-configuration-guide.xlsx

For Workstation and Fusion, see KB59146 . https://kb.vmware.com/s/article/59146

For Fusion:
1. Shutdown the Virtual Machine.
2. From the VMware Fusion menu bar, select Window>Virtual Machine Library.
3. Select a virtual machine and click Settings.
4. In the Settings Window, in the System Settings section, select Display.
5. Uncheck Accelerate 3D graphics.

For Workstation:
1. Shutdown the virtual machine.
2. Select the virtual machine and select VM > Settings.
3. On the Hardware tab, select Display.
4. Uncheck Accelerate 3D graphics.
5. Click OK.

Notes

3D graphics are not enabled by default on ESXi.
3D graphics are enabled by default on Workstation and Fusion.

Heap-overflow issue in EHCI controller (CVE-2020-3967)

Description

VMware ESXi, Workstation and Fusion contain a heap-overflow vulnerability in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with local access to a virtual machine may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.

Resolution

For ESXi 7.0, Apply patch ESXi_7.0.0-1.20.16321839. Download links will be provided in the downloads section.

For ESXi 6.7, Apply patch ESXi670-202004101-SG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-202005401-SG. Download links will be provided in the downloads section.

For Fusion, Apply patch 11.5.5. Download links will be provided in the downloads section.

For Workstation, Apply patch 15.5.5. Download links will be provided in the downloads section.

For VMware Cloud Foundation 4.x, release 4.0.1 pending that will address this issue.

For VMware Cloud Foundation 3.x, apply patch 3.10

Workarounds

Remove the USB Controller from the Virtual Machine.

Prerequisites

  • Verify that all USB devices are disconnected from the virtual machine.
  • Required Privilege: Virtual Machine.Configuration.Add or Remove Device
Procedure
  1. Navigate to a datacenter, folder, cluster, resource pool, host, or vApp, click the VMs tab and click Virtual Machines.
  2. Right-click a virtual machine and click Edit Settings.
  3. On the Virtual Hardware tab, move the pointer over the USB controller and click the Remove icon.
  4. Click OK to confirm the deletion and close the dialog box.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-ACA30034-EC88-491B-8D8B-4E319611C308.html

Out-of-bounds write vulnerability in xHCI controller (CVE-2020-3968)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability in the USB 3.0 controller (xHCI). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to crash the virtual machine's vmx process leading to a denial of service condition or execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.

Resolution

For ESXi 7.0, Apply patch ESXi_7.0.0-1.20.16321839. Download links will be provided in the downloads section.

For ESXi 6.7, Apply patch ESXi670-202004101-SG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-202005401-SG. Download links will be provided in the downloads section.

For Fusion, Apply patch 11.5.5. Download links will be provided in the downloads section.

For Workstation, Apply patch 15.5.5. Download links will be provided in the downloads section.

For VMware Cloud Foundation 4.x, release 4.0.1 pending that will address this issue.

For VMware Cloud Foundation 3.x, apply patch 3.10

Workarounds

Remove the USB Controller from the Virtual Machine.

Prerequisites
  • Verify that all USB devices are disconnected from the virtual machine.
  • Required Privilege: Virtual Machine.Configuration.Add or Remove Device
Procedure
  1. Navigate to a datacenter, folder, cluster, resource pool, host, or vApp, click the VMs tab and click Virtual Machines.
  2. Right-click a virtual machine and click Edit Settings.
  3. On the Virtual Hardware tab, move the pointer over the USB controller and click the Remove icon.
  4. Click OK to confirm the deletion and close the dialog box.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-ACA30034-EC88-491B-8D8B-4E319611C308.html

Heap-overflow due to race condition in EHCI controller (CVE-2020-3966)

Description

VMware ESXi, Workstation and Fusion contain a heap-overflow due to a race condition issue in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with local access to a virtual machine may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.

Resolution

For ESXi 7.0, Apply patch ESXi_7.0.0-1.20.16321839. Download links will be provided in the downloads section.

For ESXi 6.7, Apply patch ESXi670-202004101-SG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-202005401-SG. Download links will be provided in the downloads section.

For Fusion, Apply patch 11.5.5. Download links will be provided in the downloads section.

For Workstation, Apply patch 15.5.5. Download links will be provided in the downloads section.

For VMware Cloud Foundation 4.x, release 4.0.1 pending that will address this issue.

For VMware Cloud Foundation 3.x, apply patch 3.10

Workarounds

Remove the USB Controller from the Virtual Machine.

Prerequisites
  • Verify that all USB devices are disconnected from the virtual machine.
  • Required Privilege: Virtual Machine.Configuration.Add or Remove Device
Procedure
  1. Navigate to a datacenter, folder, cluster, resource pool, host, or vApp, click the VMs tab and click Virtual Machines.
  2. Right-click a virtual machine and click Edit Settings.
  3. On the Virtual Hardware tab, move the pointer over the USB controller and click the Remove icon.
  4. Click OK to confirm the deletion and close the dialog box.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-ACA30034-EC88-491B-8D8B-4E319611C308.html

Information leak in the XHCI USB controller (CVE-2020-3965)

Description

VMware ESXi, Workstation and Fusion contain an information leak in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with local access to a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

Resolution

For ESXi 7.0, Apply patch ESXi_7.0.0-1.20.16321839. Download links will be provided in the downloads section.

For ESXi 6.7, Apply patch ESXi670-202004101-SG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-202005401-SG. Download links will be provided in the downloads section.

For Fusion, Apply patch 11.5.5. Download links will be provided in the downloads section.

For Workstation, Apply patch 15.5.5. Download links will be provided in the downloads section.

For VMware Cloud Foundation 4.x, release 4.0.1 pending that will address this issue.

For VMware Cloud Foundation 3.x, apply patch 3.10

Workarounds

Remove the USB Controller from the Virtual Machine.

Prerequisites
  • Verify that all USB devices are disconnected from the virtual machine.
  • Required Privilege: Virtual Machine.Configuration.Add or Remove Device
Procedure
  1. Navigate to a datacenter, folder, cluster, resource pool, host, or vApp, click the VMs tab and click Virtual Machines.
  2. Right-click a virtual machine and click Edit Settings.
  3. On the Virtual Hardware tab, move the pointer over the USB controller and click the Remove icon.
  4. Click OK to confirm the deletion and close the dialog box.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-ACA30034-EC88-491B-8D8B-4E319611C308.html

Information Leak in the EHCI USB controller (CVE-2020-3964)

Description

VMware ESXi, Workstation and Fusion contain an information leak in the EHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors

A malicious actor with local access to a virtual machine may be able to read privileged information contained in the hypervisor's memory. Additional conditions beyond the attacker's control need to be present for exploitation to be possible.

Resolution

For ESXi 7.0, Apply patch ESXi_7.0.0-1.20.16321839. Download links will be provided in the downloads section.

For ESXi 6.7, Apply patch ESXi670-202004101-SG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-202005401-SG. Download links will be provided in the downloads section.

For Fusion, Apply patch 11.5.5. Download links will be provided in the downloads section.

For Workstation, Apply patch 15.5.5. Download links will be provided in the downloads section.

For VMware Cloud Foundation 4.x, release 4.0.1 pending that will address this issue.

For VMware Cloud Foundation 3.x, apply patch 3.10

Workarounds

Remove the USB Controller from the Virtual Machine.

Prerequisites
  • Verify that all USB devices are disconnected from the virtual machine.
  • Required Privilege: Virtual Machine.Configuration.Add or Remove Device
Procedure
  1. Navigate to a datacenter, folder, cluster, resource pool, host, or vApp, click the VMs tab and click Virtual Machines.
  2. Right-click a virtual machine and click Edit Settings.
  3. On the Virtual Hardware tab, move the pointer over the USB controller and click the Remove icon.
  4. Click OK to confirm the deletion and close the dialog box.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-ACA30034-EC88-491B-8D8B-4E319611C308.html

Use-after-free vulnerability in PVNVRAM (CVE-2020-3963)

Description

VMware ESXi, Workstation and Fusion contain a Use-after-free vulnerability in PVNVRAM. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors

A malicious actor with local access to a virtual machine may be able to read privileged information contained in physical memory.

Resolution

For ESXi 7.0, Apply patch ESXi_7.0.0-1.20.16321839. Download links will be provided in the downloads section.

For ESXi 6.7, Apply patch ESXi670-202004101-SG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-202005401-SG. Download links will be provided in the downloads section.

For Fusion, Apply patch 11.5.5. Download links will be provided in the downloads section.

For Workstation, Apply patch 15.5.5. Download links will be provided in the downloads section.

For VMware Cloud Foundation 4.x, release 4.0.1 pending that will address this issue.

For VMware Cloud Foundation 3.x, apply patch 3.10

Workarounds

None

Heap overflow vulnerability in vmxnet3 (CVE-2020-3971)

Description

VMware ESXi, Fusion and Workstation contain a heap overflow vulnerability in the vmxnet3 virtual network adapter. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors

A malicious actor with local access to a virtual machine with a vmxnet3 network adapter present may be able to read privileged information contained in physical memory.

Resolution

EXi 7.0 is not affected by this vulnerability.

For ESXi 6.7, Apply patch ESXi670-201904101-SG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-201905401-SG. Download links will be provided in the downloads section.

For Fusion, Apply patch 11.0.2. Download links will be provided in the downloads section.

For Workstation, Apply patch 15.0.2. Download links will be provided in the downloads section.

VMware Cloud Foundation 4.x is not affected by this vulnerability.

For VMware Cloud Foundation 3.x, apply patch 3.7.2

Workarounds

None

Downloads and Documentation:

VMware Patch Release ESXi 7.0b
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html

VMware ESXi 6.7 ESXi670-202004101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202004002.html

VMware ESXi 6.7 ESXi670-201904101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u2-release-notes.html


VMware ESXi 6.5 ESXi650-202005401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202005001.html

VMware ESXi 6.5 ESXi650-201907101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-esxi-65u3-release-notes.html


VMware Workstation Pro 15.5.5 (Latest)
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.5 (Latest)
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.5 (Latest)
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

VMware Cloud Foundation 4.0.1
*release pending*

VMware Cloud Foundation 3.10.0.1
*release pending*

VMware Cloud Foundation 3.7.2
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.7.2/rn/VMware-Cloud-Foundation-372-Release-Notes.html

VMware Cloud Foundation

https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10/rn/VMware-Cloud-Foundation-310-Release-Notes.html

Here is a link to the official advisory from VMware

https://www.vmware.com/security/advisories/VMSA-2020-0015.html

Happy Patching!