VMware Multiple Vulnerabilities (VMSA-2020-0026)

On November 19, 2020, VMware published an advisory addressing critical vulnerabilities in various VMware products.

VMware has evaluated the severity of CVE-2020-4004 to be “Critical” with a maximum CVSSv3 base score of 9.3. The severity of CVE-2020-4005 has been evaluated to be “Important” with a maximum CVSSv3 base score of 8.8.

Affected VMware Products

  • VMware ESXi
  • VMware Workstation Pro/Player (Workstation)
  • VMware Fusion Pro/Fusion (Fusion)
  • VMware Cloud Foundation

Vulnerability Details

  1. CVE-2020-4004
    – Use-after-free vulnerability in XHCI USB controller
    – Attackers with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.

    Affected Product Versions, Patched Versions and Workarounds:

    Product Version Running On CVSSv3 Severity Fixed Version Workarounds
    ESXi 7.0 Any 9.3 Critical

     

    ESXi70U1b-17168206 Remove XHCI (USB 3.x) controller
    ESXi 6.7 Any 9.3 Critical

     

    ESXi670-202011101-SG Remove XHCI (USB 3.x) controller
    ESXi 6.5 Any 9.3 Critical

     

    ESXi650-202011301-SG Remove XHCI (USB 3.x) controller
    Fusion 11.x OS X 9.3 Critical

     

    11.5.7 Remove XHCI (USB 3.x) controller
    Workstation 15.x Any 9.3 Critical

     

    15.5.7 Remove XHCI (USB 3.x) controller
    VMware Cloud Foundation (ESXi) 4.x Any 9.3 Critical

     

    Patch Pending Remove XHCI (USB 3.x) controller
    VMware Cloud Foundation (ESXi) 3.x Any 9.3 Critical

     

    Patch Pending Remove XHCI (USB 3.x) controller
  2. CVE-2020-4005
    – VMX elevation-of-privilege vulnerability
    – Attackers with privileges within the VMX process may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability.
    Affected Product Versions, Patched Versions and Workarounds:

    Product Version Running On CVSSv3 Severity Fixed Version
    ESXi 7.0 Any 8.8 Important

     

    ESXi70U1b-17168206
    ESXi 6.7 Any 8.8 Important

     

    ESXi670-202011101-SG
    ESXi 6.5 Any 8.8 Important

     

    ESXi650-202011301-SG
    VMware Cloud Foundation (ESXi) 4.x Any 8.8 Important

     

    Patch pending
    VMware Cloud Foundation (ESXi) 3.x Any 8.8 Important

     

    Patch Pending

Qualys Detection

Qualys customers can scan their network with the following QIDs to detect the vulnerable assets:

  • QID 216247 : VMware ESXi 7.0 Patch Release ESXi70U1b-17168206 Missing (VMSA-2020-0026)
  • QID 216248 : VMware ESXi 6.7 Patch Release ESXi670-202011101-SG Missing (VMSA-2020-0026)
  • QID 216249 : VMware ESXi 6.5 Patch Release ESXi650-202011301-SG Missing (VMSA-2020-0026)
  • QID 216250 : VMware ESXi 7.0 Patch Release ESXi70U1b-17168206 Missing (VMSA-2020-0026)
  • QID 216251 : VMware ESXi 6.7 Patch Release ESXi670-202011101-SG Missing (VMSA-2020-0026)
  • QID 216252 : VMware ESXi 6.5 Patch Release ESXi650-202011301-SG Missing (VMSA-2020-0026)
  • QID 374208 : VMware Workstation and VMware Fusion Use-after-free Vulnerability (VMSA-2020-0026)

Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.

References and Sources

https://www.vmware.com/security/advisories/VMSA-2020-0026.html

Leave a Reply

Your email address will not be published. Required fields are marked *