VMware Security Announcement VMSA-2020-0023. Critical update CVSSv3 score of 9.8
Today VMware released a new Security Announcement, VMSA-2020-0023. This affects VMware ESXi, vCenter, Workstation, Fusion and NSX-T, these updates address multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995). Keep reading for more details.
**Updated 11/20/2020**
Updated security advisory to add Workstation 15.x version in the response matrix of section CVE-2020-3981 and CVE-2020-3982.
Impacted Products
- VMware ESXi
- VMware vCenter
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- NSX-T
- VMware Cloud Foundation
Introduction
Multiple vulnerabilities in VMware ESXi, Workstation, Fusion and NSX-T were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)
Description
OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
Resolution
For ESXi 7.0, apply patch ESXi_7.0.U1a-17119627 Download links and release notes will be provided in the downloads section.
For ESXi 6.7, apply patch ESXi670-202010401-SG. Download links and release notes will be provided in the downloads section.
For ESXi 6.5, apply patch ESXi650-202010401-SG. Download links and release notes will be provided in the downloads section.
For VMware Cloud Foundation(ESXi) 4.x, apply patch 4.1.0.1 Download links and release notes will be provided in the downloads section.
For VMware Cloud FOundation(ESXi) 3.x, apply patch 3.10.1.2. Download links and release notes will be provided in the downloads section.
Workarounds
There is a workaround provided for this vulnerability found in KB76372. https://kb.vmware.com/s/article/76372
This workaround is applicable ONLY to ESXi. Do not apply this workaround to other VMware products.
Functionality Impacts:
With the workaround, CIM clients which uses SLP to find CIM servers over port #427 will not be able to locate the service.
Solution
To implement the workaround perform the following steps:
- Stop the SLP service on the ESXi host with this command:
/etc/init.d/slpd stop
Note: The SLP service can only be stopped when the service is not in use. Use the following command to view the operational state of Service Location Protocol Daemon:
esxcli system slp stats get
- Run the following command to disable the SLP service:
esxcli network firewall ruleset set -r CIMSLP -e 0
To make this change persist across reboots:
chkconfig slpd off
To check if the change is applied across reboots:
chkconfig --list | grep slpd
output: slpd off
To remove the workaround perform the following steps:
- Run the following command to enable the ruleset of SLP service:
esxcli network firewall ruleset set -r CIMSLP -e 1
- Run the following command to change the current startup information of slpd service:
chkconfig slpd on
Run the following command to check if the change is applied after running the above step (Step 2#):
chkconfig --list | grep slpd
output: slpd on
- Run the following command to start the SLP service:
/etc/init.d/slpd start
- Disable and enable the CIM agent
NSX-T MITM vulnerability (CVE-2020-3993)
Description
VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors
A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.
Resolution
For NSX-T 3.x, apply patch 3.0.2. Download links and release notes will be provided in the downloads section.
For NSX-T 2.5.x, apply patch 2.5.2.2.0. Download links and release notes will be provided in the downloads section.
For VMware Cloud Foundation 4.x, apply patch 4.1. Download links and release notes will be provided in the downloads section.
For VMware Cloud Foundation 3.x, apply patch 3.10.1.1. Download links and release notes will be provided in the downloads section.
TOCTOU out-of-bounds read vulnerability (CVE-2020-3981)
Description
VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors
A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.
Resolution
For ESXi 7.0, apply patch ESXi_7.0.1-0.0.16850804. Download links and release notes will be provided in the downloads section.
For ESXi 6.7, apply patch ESXi670-202008101-SG. Download links and release notes will be provided in the downloads section.
For ESXi 6.5, apply patch ESXi650-202007101-SG. Download links and release notes will be provided in the downloads section.
Fusion 12.x is not affected by this vulnerability.
For Fusion 11.x, apply patch 11.5.6. Download links and release notes will be provided in the downloads section.
Workstation 16.x is not affected by this vulnerability.
For Workstation 15.x, apply patch 15.5.7.Download links will be provided below.
For VMware Cloud Foundation 4.x, apply patch 4.1. Download links and release notes will be provided in the downloads section.
For VMware Cloud Foundation 3.x, apply patch 3.10.1. Download links and release notes will be provided in the downloads section.
TOCTOU out-of-bounds write vulnerability (CVE-2020-3982)
Description
VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.
Known Attack Vectors
A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine's vmx process or corrupt hypervisor's memory heap.
Resolution
For ESXi 7.0, apply patch ESXi_7.0.1-0.0.16850804. Download links and release notes will be provided in the downloads section.
For ESXi 6.7, apply patch ESXi670-202008101-SG. Download links and release notes will be provided in the downloads section.
For ESXi 6.5, apply patch ESXi650-202007101-SG. Download links and release notes will be provided in the downloads section.
Fusion 12.x is not affected by this vulnerability.
For Fusion 11.x, apply patch 11.5.6. Download links and release notes will be provided in the downloads section.
Workstation 16.x is not affected by this vulnerability.
For Workstation 15.x, apply patch 15.5.7. Download links will be provided below.
For VMware Cloud Foundation 4.x, apply patch 4.1. Download links and release notes will be provided in the downloads section.
For VMware Cloud Foundation 3.x, apply patch 3.10.1. Download links and release notes will be provided in the downloads section.
vCenter Server session hijack vulnerability in update function (CVE-2020-3994)
Description
VMware vCenter Server contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors
A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.
Resolution
vCenter Server 7.0 is not affected by this vulnerability.
For vCenter Server Virtual Appliance 6.7, apply patch 6.7U3. Download links and release notes will be provided in the downloads section.
vCenter Server 6.7 on Windows is not affected by this vulnerability.
For vCenter Server Virtual Appliance 6.5, apply patch 6.5U3k. Download links and release notes will be provided in the downloads section.
vCenter Server 6.5 on Windows is not affected by this vulnerability.
VMware Cloud Foundation (vCenter Server) 4.x is not affected by this vulnerability.
For VMware Cloud Foundation (vCenter Server 3.x, apply patch 3.9.0. Download links and release notes will be provided in the downloads section.
VMCI host driver memory leak vulnerability (CVE-2020-3995)
Description
The VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors
A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.
Resolution
ESXi 7.0 is not affected by this vulnerability.
For ESXi 6.7, apply patch ESXi670-201908101-SG. Download links and release notes will be provided in the downloads section.
For ESXi 6.5, apply patch ESXi650-201907101-SG. Download links and release notes will be provided in the downloads section.
For Fusion 11.x, apply patch 11.1.0. Download links and release notes will be provided in the downloads section.
For Workstation 15.x, apply patch 15.1.0. Download links and release notes will be provided in the downloads section.
VMware Cloud Foundation (ESXi) 4.x is not affected by this vulnerability.
For VMware Cloud Foundation (ESXi) 3.x, apply patch 3.9.0. Download links and release notes will be provided in the downloads section.
References and Downloads
VMware ESXi 7.0 ESXi70U1a-17119627
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1a.html
VMware ESXi 6.7 ESXi670-202010401-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202010001.html
VMware ESXi 6.5 ESXi650-202010401-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202010001.html
VMware Workstation Pro 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Workstation Pro 15.5.6
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.6
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.6
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware NSX-T 3.0.2
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-302&productId=982&rPId=52624
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html
VMware NSX-T 2.5.2.2.0
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=NSX-T-2522&productId=673&rPId=53876
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html
VMware vCenter Server 6.7u3
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC67U3&productId=742&rPId=52126
VMware vCenter Server 6.5u3k
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VC65U3K&productId=614&rPId=50173
VMware vCloud Foundation 4.1.0.1
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html#4.1.0.1
VMware vCloud Foundation 3.10.1.2
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.2
VMware vCloud Foundation 4.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html
VMware vCloud Foundation 3.10.1.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.1
VMware vCloud Foundation 3.9
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VCF390&productId=945&rPId=41516
Also here is a link to the official VMware advisory
https://www.vmware.com/security/advisories/VMSA-2020-0023.html
Thanks for reading and happy patching!