VMware Security Announcement VMSA-2020-0026. Critical update! CVSSv3 Score 9.3

A new security alert released by VMware today VMSA-2020-0026. This affects VMware ESXi, Workstation and Fusion the updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005).

Impacted Products
  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Cloud Foundation
Introduction

Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004)

Description

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Resolution

For ESXi 7.0, apply patch ESXi70U1b-17168206. Download links will be provided below.

For ESXi 6.7, apply patch ESXi670-202011101-SG. Download links will be provided below.

For ESXi 6.5, apply patch ESXi650-202011301-SG. Download links will be provided below.

Fusion 12.x is not affected by this vulnerability.

For Fusion 11.x, apply patch 11.5.7. Download links will be provided below.

Workstation 16.x is not affected by this vulnerability.

For Workstation 15.x, apply patch 15.5.7. Download links will be provided below.

For VMware Cloud Foundation (ESXi) 4.x, apply patch 4.1.0.1. Download links will be provided below.

For VMware Cloud Foundation (ESXi) 3.x, apply patch 3.10.1.2. Download links will be provided below.

Workarounds

As a workaround for this vulnerability, remove the XHCI(USB 3.x) controller from VM's. Follow the link below for details.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-ACA30034-EC88-491B-8D8B-4E319611C308.html

VMX elevation-of-privilege vulnerability (CVE-2020-4005)

Description

VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

Known Attack Vectors

A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability (e.g. CVE-2020-4004).

Resolution

For ESXi 7.0, apply patch ESXi70U1b-17168206. Download links will be provided below.

For ESXi 6.7, apply patch ESXi670-202011101-SG. Download links will be provided below.

For ESXi 6.5, apply patch ESXi650-202011301-SG. Download links will be provided below.

For VMware Cloud Foundation (ESXi) 4.x, apply patch 4.1.0.1. Download links will be provided below.

For VMware Cloud Foundation (ESXi) 3.x, apply patch 3.10.1.2. Download links will be provided below.

References

VMware ESXi 7.0 ESXi70U1b-17168206
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1b.html

VMware ESXi 6.7 ESXi670-202011101-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011002.html

VMware ESXi 6.5 ESXi650-202011301-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011002.html

VMware Workstation Pro 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Fusion 11.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

VMware vCloud Foundation 4.1.0.1
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html#4.1.0.1

VMware vCloud Foundation 3.10.1.2
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.2

Here is the link to the official advisory;

https://www.vmware.com/security/advisories/VMSA-2020-0026.html

Happy Patching!