On November 19, 2020, VMware published an advisory addressing critical vulnerabilities in various VMware products.
VMware has evaluated the severity of CVE-2020-4004 to be “Critical” with a maximum CVSSv3 base score of 9.3. The severity of CVE-2020-4005 has been evaluated to be “Important” with a maximum CVSSv3 base score of 8.8.
Affected VMware Products
- VMware ESXi
- VMware Workstation Pro/Player (Workstation)
- VMware Fusion Pro/Fusion (Fusion)
- VMware Cloud Foundation
Vulnerability Details
- CVE-2020-4004
– Use-after-free vulnerability in XHCI USB controller
– Attackers with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
Affected Product Versions, Patched Versions and Workarounds:Product Version Running On CVSSv3 Severity Fixed Version Workarounds ESXi 7.0 Any 9.3 Critical ESXi70U1b-17168206 Remove XHCI (USB 3.x) controller ESXi 6.7 Any 9.3 Critical ESXi670-202011101-SG Remove XHCI (USB 3.x) controller ESXi 6.5 Any 9.3 Critical ESXi650-202011301-SG Remove XHCI (USB 3.x) controller Fusion 11.x OS X 9.3 Critical 11.5.7 Remove XHCI (USB 3.x) controller Workstation 15.x Any 9.3 Critical 15.5.7 Remove XHCI (USB 3.x) controller VMware Cloud Foundation (ESXi) 4.x Any 9.3 Critical Patch Pending Remove XHCI (USB 3.x) controller VMware Cloud Foundation (ESXi) 3.x Any 9.3 Critical Patch Pending Remove XHCI (USB 3.x) controller - CVE-2020-4005
– VMX elevation-of-privilege vulnerability
– Attackers with privileges within the VMX process may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability.
Affected Product Versions, Patched Versions and Workarounds:
Product Version Running On CVSSv3 Severity Fixed Version ESXi 7.0 Any 8.8 Important ESXi70U1b-17168206 ESXi 6.7 Any 8.8 Important ESXi670-202011101-SG ESXi 6.5 Any 8.8 Important ESXi650-202011301-SG VMware Cloud Foundation (ESXi) 4.x Any 8.8 Important Patch pending VMware Cloud Foundation (ESXi) 3.x Any 8.8 Important Patch Pending
Qualys Detection
Qualys customers can scan their network with the following QIDs to detect the vulnerable assets:
- QID 216247 : VMware ESXi 7.0 Patch Release ESXi70U1b-17168206 Missing (VMSA-2020-0026)
- QID 216248 : VMware ESXi 6.7 Patch Release ESXi670-202011101-SG Missing (VMSA-2020-0026)
- QID 216249 : VMware ESXi 6.5 Patch Release ESXi650-202011301-SG Missing (VMSA-2020-0026)
- QID 216250 : VMware ESXi 7.0 Patch Release ESXi70U1b-17168206 Missing (VMSA-2020-0026)
- QID 216251 : VMware ESXi 6.7 Patch Release ESXi670-202011101-SG Missing (VMSA-2020-0026)
- QID 216252 : VMware ESXi 6.5 Patch Release ESXi650-202011301-SG Missing (VMSA-2020-0026)
- QID 374208 : VMware Workstation and VMware Fusion Use-after-free Vulnerability (VMSA-2020-0026)
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References and Sources
https://www.vmware.com/security/advisories/VMSA-2020-0026.html