VMware issued a new security advisory on 23rd June,2020. VMSA-2020-0015 Addressed the ten security vulnerabilities in various VMware products.
Among these multiple vulnerabilities, a bug, CVE-2020-3962 is a critical vulnerability with a 9.3 CVSSv3 base score. Rest nine flaws are of Important and Moderate severity.
Affected VMware Products:
- VMware ESXi
- VMware Workstation Pro/Player (Workstation)
- VMware Fusion Pro/Fusion (Fusion)
- VMware Cloud Foundation
Vulnerability Details
- CVE-2020-3962
- Use-after-free vulnerability in SVGA device
- Attackers with local access to a virtual machine with 3D graphics enabled can exploit this vulnerability to execute code on the hypervisor from a virtual machine.
- CVE-2020-3969
- Off-by-one heap-overflow vulnerability in SVGA device
- Attackers with local access to a virtual machine with 3D graphics enabled can exploit this vulnerability to execute code on the hypervisor from a virtual machine.
- CVE-2020-3970
- Out-of-bound read issue in Shader Functionality
- Attackers with non-administrative local access to a virtual machine with 3D graphics enabled can exploit this vulnerability to crash the virtual machine’s Virtual Machine Extension (VMX) process leading to a partial denial of service condition.
- CVE-2020-3967
- Heap-overflow issue in Enhanced Host Controller Interface (EHCI) controller
- Attackers with local access to a virtual machine can exploit this vulnerability to execute code on the hypervisor from a virtual machine.
- CVE-2020-3968
- Out-of-bounds write vulnerability in Extensible Host Controller Interface (xHCI) controller
- Attackers with local administrative privileges on a virtual machine can exploit this issue to crash the virtual machine’s Virtual Machine Extension (VMX) process leading to a denial of service condition or execute code on the hypervisor from a virtual machine.
- CVE-2020-3966
- Heap-overflow due to race condition in Enhanced Host Controller Interface (EHCI) controller
- Attackers with local access to a virtual machine can exploit this vulnerability to execute code on the hypervisor from a virtual machine.
- CVE-2020-3965
- Information leak in the Extensible Host Controller Interface (xHCI) USB controller
- Attackers with local access to a virtual machine can read privileged information contained in hypervisor memory from a virtual machine.
- CVE-2020-3964
- Information Leak in the Enhanced Host Controller Interface (EHCI) USB controller
- Attackers with local access to a virtual machine can read privileged information contained in the hypervisor’s memory.
- CVE-2020-3963
- Use-after-free vulnerability in PVNVRAM (Non Volatile Random Access Memory)
- Attackers with local access to a virtual machine can read privileged information contained in hypervisor memory from a virtual machine.
- CVE-2020-3971
- Heap overflow vulnerability in vmxnet3 (VMXNET Generation 3)
- Attackers with local access to a virtual machine with a vmxnet3 network adapter present can read privileged information contained in hypervisor memory from a virtual machine.
Affected Product Versions, Patched Versions and Workarounds:
- VMware ESXi 7.0
Affected Versions | CVE Identifier | CVSSv3 | Fixed Version | Workarounds |
7.0 | CVE-2020-3962 | 9.3 | ESXi_7.0.0-1.20.16321839 | Disable 3D features on Server and desktop virtual machines
|
CVE-2020-3969 | ||||
CVE-2020-3970 | ||||
7.0 | CVE-2020-3967 | 8.1 | ESXi_7.0.0-1.20.16321839 | Remove USB Controller |
CVE-2020-3968 | ||||
CVE-2020-3966 | ||||
7.0
|
CVE-2020-3965 | 7.1 | ESXi_7.0.0-1.20.16321839 | Remove USB Controller |
CVE-2020-3963 | ||||
CVE-2020-3964 |
- VMware ESXi 6.7
Affected Versions | CVE Identifier | CVSSv3 | Fixed Version | Workarounds |
6.7 | CVE-2020-3962 | 9.3 | ESXi670-202004101-SG | Disable 3D features on Server and desktop virtual machines
|
CVE-2020-3969 | ||||
CVE-2020-397 | ||||
6.7 | CVE-2020-3967 | 8.1 | ESXi670-202004101-SG | Remove USB Controller |
CVE-2020-3968 | ||||
CVE-2020-3966 | ||||
6.7
|
CVE-2020-3965 | 7.1 | ESXi670-202006401-SG | Remove USB Controller |
CVE-2020-3963 | ||||
CVE-2020-3964 | ||||
6.7 | CVE-2020-3971 | 5.9 | ESXi670-201904101-SG | None |
- VMware ESXi 6.5
Affected Versions | CVE Identifier | CVSSv3 | Fixed Version | Workarounds |
6.5 | CVE-2020-3962 | 9.3 | ESXi650-202005401-SG | Disable 3D features on Server and desktop virtual machines
|
CVE-2020-3969 | ||||
CVE-2020-397 | ||||
6.5 | CVE-2020-3967 | 8.1 | ESXi650-202005401-SG | Remove USB Controller |
CVE-2020-3968 | ||||
CVE-2020-3966 | ||||
6.5
|
CVE-2020-3965 | 7.1 | ESXi650-202005401-SG | Remove USB Controller |
CVE-2020-3963 | ||||
CVE-2020-3964 | ||||
6.5 | CVE-2020-3971 | 5.9 | ESXi650-201907101-SG | None |
- VMware Workstation Pro / Player and VMware Fusion Pro / Fusion
Affected Versions | CVE Identifier | CVSSv3 | Fixed Version | Workarounds |
Workstation 15.x | CVE-2020-3962 | 9.3 | Workstation 15.5 | KB59146 |
Fusion 11.x | CVE-2020-3969 | Fusion 11.5 | ||
CVE-2020-3970 | ||||
Workstation 15.x | CVE-2020-3967 | 8.1 | Workstation 15.5 | Remove USB Controller |
Fusion 11.x | CVE-2020-3968 | Fusion 11.5 | ||
Workstation 15.x | CVE-2020-3966 | 8.1 | Workstation 15.2 | Remove USB Controller |
Fusion 11.x | Fusion 11.2 | |||
Workstation 15.x | CVE-2020-3965 | 7.1 | Workstation 15.2 | Remove USB Controller |
Fusion 11.x | CVE-2020-3963 | Fusion 11.2 | ||
CVE-2020-3964 | ||||
Workstation 15.x | CVE-2020-3971 | 5.9 | Workstation 15.0.2 | None |
Fusion 11.x | Fusion 11.0.2 |
- VMware Cloud Foundation
Affected Versions | CVE Identifier | CVSSv3 | Fixed Version | Workarounds |
4.x | CVE-2020-3962 | 9.3 | 4.0.1 | Disable 3D features on Server and desktop virtual machines
|
3.x | CVE-2020-3969 | 3.10 | ||
CVE-2020-3970 | ||||
4.x | CVE-2020-3967 | 8.1 | 4.0.1 | Remove USB Controller |
3.x | CVE-2020-3968 | 3.10 | ||
CVE-2020-3966 | ||||
4.x | CVE-2020-3965 | 7.1 | 4.0.1 | Remove USB Controller |
3.x | CVE-2020-3963 | 3.10.0.1 | ||
CVE-2020-3964 | ||||
3.x | CVE-2020-3971 | 5.9 | 3.7.2 | None |
Detection:
Qualys customers can scan their network with Following QID’s to detect vulnerable assets
Affected Versions | CVE Identifier | QID |
VMware ESXi 7.0
|
CVE-2020-3962
CVE-2020-3969 CVE-2020-397 CVE-2020-3967 CVE-2020-3968 CVE-2020-3966 CVE-2020-3965 CVE-2020-3963 CVE-2020-3964 |
QID 216229: VMware ESXi 7.0 Patch Release ESXi_7.0.0-1.20.16321839 Missing (VMSA-2020-0015) |
VMware ESXi 6.7
|
CVE-2020-3962
CVE-2020-3969 CVE-2020-397 CVE-2020-3967 CVE-2020-3968 CVE-2020-3966 |
QID 216230: VMware ESXi 6.7 Patch Release ESXi670-202004101-SG Missing (VMSA-2020-0015) |
VMware ESXi 6.7
|
CVE-2020-3965
CVE-2020-3963 CVE-2020-3964 |
QID 216232: VMware ESXi 6.7 Patch Release ESXi670-202006401-SG Missing (VMSA-2020-0015) |
VMware ESXi 6.7
|
CVE-2020-3971 | QID 216231: VMware ESXi 6.7 Patch Release ESXi670-201904101-SG Missing (VMSA-2020-0015) |
VMware ESXi 6.5 | CVE-2020-3962
CVE-2020-3969 CVE-2020-397 CVE-2020-3967 CVE-2020-3968 CVE-2020-3966 CVE-2020-3965 CVE-2020-3963 CVE-2020-3964 |
QID 216233: VMware ESXi 6.5 Patch Release ESXi650-202005401-SG Missing (VMSA-2020-0015)
|
VMware ESXi 6.5 | CVE-2020-3971 | QID 216198: VMware ESXi 6.5 Patch Release ESXi650-201907101-SG Missing (VMSA-2019-0013, VMSA-2020-0015) |
Workstation 15.x
Fusion 11.x
|
CVE-2020-3962
CVE-2020-3969 CVE-2020-3970 CVE-2020-3967 CVE-2020-3968 |
QID 372937: VMware Workstation and VMware Fusion Multiple Vulnerabilities (VMSA-2020-0015) |
Workstation 15.x
Fusion 11.x
|
CVE-2020-3966
CVE-2020-3965 CVE-2020-3963 CVE-2020-3964 |
QID 372938: VMware Workstation and VMware Fusion Multiple Vulnerabilities (VMSA-2020-0015) |
Workstation 15.x
Fusion 11.x
|
CVE-2020-3971 | QID 372939: VMware Workstation and VMware Fusion Heap Overflow Vulnerability (VMSA-2020-0015) |
Please continue to follow Qualys Threat Protection for more coverage on these vulnerabilities.
References & Sources:
https://www.vmware.com/security/advisories/VMSA-2020-0015.html