VMware Security Announcement VMSA-2020-0018

I usually blog about the new security alerts as soon as I see the email come in, so I apologize for the delay on getting this out. VMware released VMSA-2020-0018 on 8/20 and addresses vulnerabilities in VMware ESXi, vCenter Server, and Cloud Foundation. The released updates address a partial denial of service vulnerability (CVE-2020-3976)

Impacted Products

  • VMware ESXi
  • VMware vCenter Server
  • VMware Cloud Foundation

Introduction

A partial denial of service vulnerability in VMware ESXi and vCenter Server was privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products. Links to the updates will be provided below.

Partial denial of service vulnerability via authentication services (CVE-2020-3976)

Description

VMware ESXi and vCenter Server contain a partial denial of service vulnerability in their respective authentication services. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to ESXi or vCenter may be able to exploit this vulnerability to exhaust memory resources resulting in a degradation of performance condition while the attack is sustained.

Resolution

For ESXi 7.0, Apply patch ESXi_7.0.0-1.25.16324942. Download links will be provided in the downloads section.

For ESXi 6.7, Apply patches ESXi670-202008101-SG, and ESXi670-202008401-BG. Download links will be provided in the downloads section.

For ESXi 6.5, Apply patch ESXi650-202007401-BG, and ESXi650-202007101-SG. Download links will be provided in the downloads section.

For vCenter 7.0, Apply patch 7.0.0b. Download links will be provided in the downloads section.

For vCenter 6.7, Apply patch 6.7u3j. Download links will be provided in the downloads section.

For vCenter 6.5, Apply patch 6.5u3k. Download links will be provided in the downloads section.

For Cloud Foundation (ESXi) 4.x.x, Apply patch 4.0.1. Download links will be provided in the downloads section.

For Cloud Foundation (ESXi) 3.x.x, Apply patch 3.10.0. Download links will be provided in the downloads section.

For Cloud Foundation (vCenter) 4.x.x, Apply patch 4.0.1. Download links will be provided in the downloads section.

For Cloud Foundation (vCenter) 3.x.x, Patch release is pending (3.10.1)

Workarounds

None.

Downloads and Documentation

VMware ESXi Patch Release 7.0b

https://my.vmware.com/group/vmware/patch

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/esxi70b.html


VMware ESXi 6.7 ESXi670-202008101-SG and ESXi670-202008401-BG

https://my.vmware.com/group/vmware/patch


VMware ESXi 6.5 ESXi650-202007101-SG and ESXi650-202007401-BG

https://my.vmware.com/group/vmware/patch

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202007001.html


vCenter Server 7.0.0b

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC700B&productId=974&rPId=50093

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-700b-release-notes.html


vCenter Server 6.7u3j

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC67U3J&productId=742&rPId=50446

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3j-release-notes.html


vCenter Server 6.5u3k

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K&productId=614&rPId=50173

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3k-release-notes.html

VMware Cloud Foundation 4.0.1

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF401&productId=1015&rPId=48125


VMware Cloud Foundation 3.10.0

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF310&productId=1001&rPId=46540


VMware Cloud Foundation 3.10.1

** Release Pending **

Here is the link to the official advisory from VMware

https://www.vmware.com/security/advisories/VMSA-2020-0018.html

Happy Patching!