VMware Security Announcement VMSA-2020-0020
Today VMware released a new security announcement VMSA-2020-0020. This affects VMware Workstation, Fusion and Horizon Client updates and addresses multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990).
Impacted Products
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Horizon Client for Windows
Introduction
Multiple vulnerabilities in VMware Workstation, Fusion and Horizon Client were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. Download links will be provided below.
PATH configuration privilege escalation vulnerability (CVE-2020-3980)
Description
VMware Fusion contains a privilege escalation vulnerability due to the way it allows configuring the system wide path. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.
Known Attack Vectors
An attacker with normal user privileges may exploit this issue to trick an admin user into executing malicious code on the system where Fusion is installed.
Resolution
VMware Fusion 12.x is not affected by this vulnerability
There is a patch pending release for VMware Fusion 11.x
Workarounds
None.
Multiple out-of-bounds read vulnerabilities via Cortado ThinPrint (CVE-2020-3986, CVE-2020-3987, CVE-2020-3988)
Description
VMware Workstation and Horizon Client for Windows contain multiple out-of-bounds read vulnerabilities in Cortado ThinPrint component. These issues exist in the EMF and JPEG2000 parsers. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.2.
Known Attack Vectors
A malicious actor with normal access to a virtual machine may be able to exploit these issues to create a partial denial-of-service condition or to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed.
Resolution
To remediate the Horizon Client for Windows install patch 5.4.4. DOwnload links willbe provided below
VMware Workstation 16.x is not affected by this vulnerability.
VMware Workstation 15.x for Linux is also not affected by this vulnerability
There is a patch pending release for VMware Workstation 15.x for Windows.
Workarounds
None.
Notes
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.
Denial-of-service vulnerability via Cortado ThinPrint (CVE-2020-3989)
Description
VMware Workstation and Horizon Client for Windows contain a denial of service vulnerability due to an out-of-bounds write issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8.
Known Attack Vectors
A malicious actor with normal access to a virtual machine may be able to exploit this issue to create a partial denial-of-service condition on the system where Workstation or Horizon Client for Windows is installed.
Resolution
For Horizon Client for Windows 5.x and prior install fixed version 5.4.4. Download links will be provided below
VMware Workstation 16.x is not affected by this vulnerability.
VMware Workstation 15.x for Linux is also not affected by this vulnerability
There is a patch pending release for VMware Workstation 15.x for Windows.
Workarounds
None.
Notes
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.
Information disclosure vulnerability via Cortado ThinPrint (CVE-2020-3990)
VMware Workstation and Horizon Client for Windows contain an information disclosure vulnerability due to an integer overflow issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8.
Known Attack Vectors
A malicious actor with normal access to a virtual machine may be able to exploit this issue to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed.
Resolution
For Horizon Client for Windows 5.x and prior install fixed version 5.4.4. Download links will be provided below
VMware Workstation 16.x is not affected by this vulnerability.
VMware Workstation 15.x for Linux is also not affected by this vulnerability
There is a patch pending release for VMware Workstation 15.x for Windows.
Workarounds
None.
Notes
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.
References
Fixed Version(s) and Release Notes:
VMware Workstation Pro 16.0
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 16.0
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 12.0
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware Horizon Client 5.4.4
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html
This post will be updated when the pending patches are released. check back for updated information.
Thanks!!