VMware Security Announcement VMSA-2020-0020

November 20, 2020

Today VMware released a new security announcement VMSA-2020-0020. This affects VMware Workstation, Fusion and Horizon Client updates and addresses multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990).

‍

**Updated 11/20/2020**

Updated security advisory to add Fusion 11.x version in the response matrix of section of CVE-2020-3980 and Workstation 15.x version in the response matrix of section of CVE-2020-3986, CVE-2020-3987, CVE-2020-3988 CVE-2020-3989, and CVE-2020-3990.

‍

Impacted Products

VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows

Introduction

Multiple vulnerabilities in VMware Workstation, Fusion and Horizon Client were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. Download links will be provided below.

‍

PATH configuration privilege escalation vulnerability (CVE-2020-3980)

Description

VMware Fusion contains a privilege escalation vulnerability due to the way it allows configuring the system wide path. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.

Known Attack Vectors

An attacker with normal user privileges may exploit this issue to trick an admin user into executing malicious code on the system where Fusion is installed.

Resolution

VMware Fusion 12.x is not affected by this vulnerability

For VMware Fusion 11.x apply patch 11.5.7. Download links will be provided below.

Workarounds

None.

‍

Multiple out-of-bounds read vulnerabilities via Cortado ThinPrint (CVE-2020-3986, CVE-2020-3987, CVE-2020-3988)

Description

VMware Workstation and Horizon Client for Windows contain multiple out-of-bounds read vulnerabilities in Cortado ThinPrint component. These issues exist in the EMF and JPEG2000 parsers. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.2.

Known Attack Vectors

A malicious actor with normal access to a virtual machine may be able to exploit these issues to create a partial denial-of-service condition or to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Resolution

To remediate the Horizon Client for Windows install patch 5.4.4. Download links will be provided below

VMware Workstation 16.x is not affected by this vulnerability.

VMware Workstation 15.x for Linux is also not affected by this vulnerability

For VMware Workstation 15.x for Windows. Install patch 15.5.7, download links will be provided below

Workarounds

None.

Notes

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.

‍

Denial-of-service vulnerability via Cortado ThinPrint (CVE-2020-3989)

Description

VMware Workstation and Horizon Client for Windows contain a denial of service vulnerability due to an out-of-bounds write issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8.

Known Attack Vectors

A malicious actor with normal access to a virtual machine may be able to exploit this issue to create a partial denial-of-service condition on the system where Workstation or Horizon Client for Windows is installed.

Resolution

For Horizon Client for Windows 5.x and prior install fixed version 5.4.4. Download links will be provided below

VMware Workstation 16.x is not affected by this vulnerability.

VMware Workstation 15.x for Linux is also not affected by this vulnerability

For VMware Workstation 15.x for Windows. Install patch 15.5.7, download links will be provided below.

Workarounds

None.

Notes

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.

‍

Information disclosure vulnerability via Cortado ThinPrint (CVE-2020-3990)

VMware Workstation and Horizon Client for Windows contain an information disclosure vulnerability due to an integer overflow issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8.

Known Attack Vectors

A malicious actor with normal access to a virtual machine may be able to exploit this issue to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Resolution

For Horizon Client for Windows 5.x and prior install fixed version 5.4.4. Download links will be provided below

VMware Workstation 16.x is not affected by this vulnerability.

VMware Workstation 15.x for Linux is also not affected by this vulnerability

For VMware Workstation 15.x for Windows. Install patch 15.5.7, download links will be provided below.

Workarounds

None.

Notes

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.

‍