VMware Security Announcement VMSA-2020-0023. Critical update CVSSv3 score of 9.8

Today VMware released a new Security Announcement, VMSA-2020-0023. This affects VMware ESXi, vCenter, Workstation, Fusion and NSX-T, these updates address multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995). Keep reading for more details.

**Updated 11/20/2020**

Updated security advisory to add Workstation 15.x version in the response matrix of section CVE-2020-3981 and CVE-2020-3982.

Impacted Products
  • VMware ESXi
  • VMware vCenter
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • NSX-T
  • VMware Cloud Foundation
Introduction

Multiple vulnerabilities in VMware ESXi, Workstation, Fusion and NSX-T were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)

Description

OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Known Attack Vectors

A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

Resolution

For ESXi 7.0, apply patch ESXi_7.0.U1a-17119627 Download links and release notes will be provided in the downloads section.

For ESXi 6.7, apply patch ESXi670-202010401-SG. Download links and release notes will be provided in the downloads section.

For ESXi 6.5, apply patch ESXi650-202010401-SG. Download links and release notes will be provided in the downloads section.

For VMware Cloud Foundation(ESXi) 4.x, apply patch 4.1.0.1 Download links and release notes will be provided in the downloads section.

For VMware Cloud FOundation(ESXi) 3.x, apply patch 3.10.1.2. Download links and release notes will be provided in the downloads section.

Workarounds

There is a workaround provided for this vulnerability found in KB76372. https://kb.vmware.com/s/article/76372

This workaround is applicable ONLY to ESXi. Do not apply this workaround to other VMware products.

Functionality Impacts:

With the workaround, CIM clients which uses SLP to find CIM servers over port #427 will not be able to locate the service.

Solution

To implement the workaround perform the following steps:

  1. Stop the SLP service on the ESXi host with this command:

/etc/init.d/slpd stop

Note: The SLP service can only be stopped when the service is not in use. Use the following command to view the operational state of Service Location Protocol Daemon:

esxcli system slp stats get

  1. Run the following command to disable the SLP service:

esxcli network firewall ruleset set -r CIMSLP -e 0


To make this change persist across reboots:

chkconfig slpd off


To check if the change is applied across reboots:


chkconfig --list | grep slpd

output: slpd off

To remove the workaround perform the following steps:

  1. Run the following command to enable the ruleset of SLP service:

esxcli network firewall ruleset set -r CIMSLP -e 1

  1. Run the following command to change the current startup information of slpd service:

chkconfig slpd on

Run the following command to check if the change is applied after running the above step (Step 2#):


chkconfig --list | grep slpd

output: slpd on

  1. Run the following command to start the SLP service:

/etc/init.d/slpd start

  1. Disable and enable the CIM agent

NSX-T MITM vulnerability (CVE-2020-3993)

Description

VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.

Resolution

For NSX-T 3.x, apply patch 3.0.2. Download links and release notes will be provided in the downloads section.

For NSX-T 2.5.x, apply patch 2.5.2.2.0. Download links and release notes will be provided in the downloads section.

For VMware Cloud Foundation 4.x, apply patch 4.1. Download links and release notes will be provided in the downloads section.

For VMware Cloud Foundation 3.x, apply patch 3.10.1.1. Download links and release notes will be provided in the downloads section.

TOCTOU out-of-bounds read vulnerability (CVE-2020-3981)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

Resolution

For ESXi 7.0, apply patch ESXi_7.0.1-0.0.16850804. Download links and release notes will be provided in the downloads section.

For ESXi 6.7, apply patch ESXi670-202008101-SG. Download links and release notes will be provided in the downloads section.

For ESXi 6.5, apply patch ESXi650-202007101-SG. Download links and release notes will be provided in the downloads section.

Fusion 12.x is not affected by this vulnerability.

For Fusion 11.x, apply patch 11.5.6. Download links and release notes will be provided in the downloads section.

Workstation 16.x is not affected by this vulnerability.

For Workstation 15.x, apply patch 15.5.7.Download links will be provided below.

For VMware Cloud Foundation 4.x, apply patch 4.1. Download links and release notes will be provided in the downloads section.

For VMware Cloud Foundation 3.x, apply patch 3.10.1. Download links and release notes will be provided in the downloads section.

TOCTOU out-of-bounds write vulnerability (CVE-2020-3982)

Description

VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors

A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine's vmx process or corrupt hypervisor's memory heap.

Resolution

For ESXi 7.0, apply patch ESXi_7.0.1-0.0.16850804. Download links and release notes will be provided in the downloads section.

For ESXi 6.7, apply patch ESXi670-202008101-SG. Download links and release notes will be provided in the downloads section.

For ESXi 6.5, apply patch ESXi650-202007101-SG. Download links and release notes will be provided in the downloads section.

Fusion 12.x is not affected by this vulnerability.

For Fusion 11.x, apply patch 11.5.6. Download links and release notes will be provided in the downloads section.

Workstation 16.x is not affected by this vulnerability.

For Workstation 15.x, apply patch 15.5.7. Download links will be provided below.

For VMware Cloud Foundation 4.x, apply patch 4.1. Download links and release notes will be provided in the downloads section.

For VMware Cloud Foundation 3.x, apply patch 3.10.1. Download links and release notes will be provided in the downloads section.

vCenter Server session hijack vulnerability in update function (CVE-2020-3994)

Description

VMware vCenter Server contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.

Resolution

vCenter Server 7.0 is not affected by this vulnerability.

For vCenter Server Virtual Appliance 6.7, apply patch 6.7U3. Download links and release notes will be provided in the downloads section.

vCenter Server 6.7 on Windows is not affected by this vulnerability.

For vCenter Server Virtual Appliance 6.5, apply patch 6.5U3k. Download links and release notes will be provided in the downloads section.

vCenter Server 6.5 on Windows is not affected by this vulnerability.

VMware Cloud Foundation (vCenter Server) 4.x is not affected by this vulnerability.

For VMware Cloud Foundation (vCenter Server 3.x, apply patch 3.9.0. Download links and release notes will be provided in the downloads section.

VMCI host driver memory leak vulnerability (CVE-2020-3995)

Description

The VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.

Resolution

ESXi 7.0 is not affected by this vulnerability.

For ESXi 6.7, apply patch ESXi670-201908101-SG. Download links and release notes will be provided in the downloads section.

For ESXi 6.5, apply patch ESXi650-201907101-SG. Download links and release notes will be provided in the downloads section.

For Fusion 11.x, apply patch 11.1.0. Download links and release notes will be provided in the downloads section.

For Workstation 15.x, apply patch 15.1.0. Download links and release notes will be provided in the downloads section.

VMware Cloud Foundation (ESXi) 4.x is not affected by this vulnerability.

For VMware Cloud Foundation (ESXi) 3.x, apply patch 3.9.0. Download links and release notes will be provided in the downloads section.

References and Downloads

VMware ESXi 7.0 ESXi70U1a-17119627
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1a.html

VMware ESXi 6.7 ESXi670-202010401-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202010001.html

VMware ESXi 6.5 ESXi650-202010401-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202010001.html

VMware Workstation Pro 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Workstation Pro 15.5.6
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.6
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.6
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

VMware NSX-T 3.0.2
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-302&productId=982&rPId=52624
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html

VMware NSX-T 2.5.2.2.0
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-2522&productId=673&rPId=53876
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html

VMware vCenter Server 6.7u3
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC67U3&productId=742&rPId=52126

VMware vCenter Server 6.5u3k
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K&productId=614&rPId=50173

VMware vCloud Foundation 4.1.0.1
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html#4.1.0.1

VMware vCloud Foundation 3.10.1.2
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.2

VMware vCloud Foundation 4.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html

VMware vCloud Foundation 3.10.1.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.1

VMware vCloud Foundation 3.9
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VCF390&productId=945&rPId=41516

Also here is a link to the official VMware advisory

https://www.vmware.com/security/advisories/VMSA-2020-0023.html

Thanks for reading and happy patching!