VMware Multiple Vulnerabilities (VMSA-2020-0015)

VMware issued a new security advisory on 23rd June,2020. VMSA-2020-0015 Addressed the ten security vulnerabilities in various VMware products.

Among these multiple vulnerabilities, a bug, CVE-2020-3962 is a critical vulnerability with a 9.3 CVSSv3 base score. Rest nine flaws are of Important and Moderate severity.

Affected VMware Products:

  • VMware ESXi
  • VMware Workstation Pro/Player (Workstation)
  • VMware Fusion Pro/Fusion (Fusion)
  • VMware Cloud Foundation

Vulnerability Details

  1. CVE-2020-3962
  • Use-after-free vulnerability in SVGA device
  • Attackers with local access to a virtual machine with 3D graphics enabled can exploit this vulnerability to execute code on the hypervisor from a virtual machine.
  1. CVE-2020-3969
  • Off-by-one heap-overflow vulnerability in SVGA device
  • Attackers with local access to a virtual machine with 3D graphics enabled can exploit this vulnerability to execute code on the hypervisor from a virtual machine.
  1. CVE-2020-3970
  • Out-of-bound read issue in Shader Functionality
  • Attackers with non-administrative local access to a virtual machine with 3D graphics enabled can exploit this vulnerability to crash the virtual machine’s Virtual Machine Extension (VMX) process leading to a partial denial of service condition.
  1. CVE-2020-3967
  • Heap-overflow issue in Enhanced Host Controller Interface (EHCI) controller
  • Attackers with local access to a virtual machine can exploit this vulnerability to execute code on the hypervisor from a virtual machine.
  1. CVE-2020-3968
  • Out-of-bounds write vulnerability in Extensible Host Controller Interface (xHCI) controller
  • Attackers with local administrative privileges on a virtual machine can exploit this issue to crash the virtual machine’s Virtual Machine Extension (VMX) process leading to a denial of service condition or execute code on the hypervisor from a virtual machine.
  1. CVE-2020-3966
  • Heap-overflow due to race condition in Enhanced Host Controller Interface (EHCI) controller
  • Attackers with local access to a virtual machine can exploit this vulnerability to execute code on the hypervisor from a virtual machine.
  1. CVE-2020-3965
  • Information leak in the Extensible Host Controller Interface (xHCI) USB controller
  • Attackers with local access to a virtual machine can read privileged information contained in hypervisor memory from a virtual machine.
  1. CVE-2020-3964
  • Information Leak in the Enhanced Host Controller Interface (EHCI) USB controller
  • Attackers with local access to a virtual machine can read privileged information contained in the hypervisor’s memory.
  1. CVE-2020-3963
  • Use-after-free vulnerability in PVNVRAM (Non Volatile Random Access Memory)
  • Attackers with local access to a virtual machine can read privileged information contained in hypervisor memory from a virtual machine.
  1. CVE-2020-3971
  • Heap overflow vulnerability in vmxnet3 (VMXNET Generation 3)
  • Attackers with local access to a virtual machine with a vmxnet3 network adapter present can read privileged information contained in hypervisor memory from a virtual machine.

Affected Product Versions, Patched Versions and Workarounds:

  1. VMware ESXi 7.0
Affected Versions CVE Identifier CVSSv3 Fixed Version Workarounds
7.0 CVE-2020-3962 9.3 ESXi_7.0.0-1.20.16321839 Disable 3D features on Server and desktop virtual machines

 

CVE-2020-3969
CVE-2020-3970
7.0 CVE-2020-3967 8.1 ESXi_7.0.0-1.20.16321839 Remove USB Controller
CVE-2020-3968
CVE-2020-3966
7.0

 

CVE-2020-3965 7.1 ESXi_7.0.0-1.20.16321839 Remove USB Controller
CVE-2020-3963
CVE-2020-3964
  1. VMware ESXi 6.7
Affected Versions CVE Identifier CVSSv3 Fixed Version Workarounds
6.7 CVE-2020-3962 9.3 ESXi670-202004101-SG Disable 3D features on Server and desktop virtual machines

 

CVE-2020-3969
CVE-2020-397
6.7 CVE-2020-3967 8.1 ESXi670-202004101-SG Remove USB Controller
CVE-2020-3968
CVE-2020-3966
6.7

 

CVE-2020-3965 7.1 ESXi670-202006401-SG Remove USB Controller
CVE-2020-3963
CVE-2020-3964
6.7 CVE-2020-3971 5.9 ESXi670-201904101-SG None
  1. VMware ESXi 6.5
Affected Versions CVE Identifier CVSSv3 Fixed Version Workarounds
6.5 CVE-2020-3962 9.3 ESXi650-202005401-SG Disable 3D features on Server and desktop virtual machines

 

CVE-2020-3969
CVE-2020-397
6.5 CVE-2020-3967 8.1 ESXi650-202005401-SG Remove USB Controller
CVE-2020-3968
CVE-2020-3966
6.5

 

CVE-2020-3965 7.1 ESXi650-202005401-SG Remove USB Controller
CVE-2020-3963
CVE-2020-3964
6.5 CVE-2020-3971 5.9 ESXi650-201907101-SG None
  1. VMware Workstation Pro / Player and VMware Fusion Pro / Fusion
Affected Versions   CVE Identifier           CVSSv3     Fixed Version            Workarounds
Workstation 15.x CVE-2020-3962 9.3 Workstation 15.5 KB59146
Fusion 11.x CVE-2020-3969 Fusion 11.5
CVE-2020-3970
Workstation 15.x CVE-2020-3967 8.1 Workstation 15.5 Remove USB Controller
Fusion 11.x CVE-2020-3968 Fusion 11.5
Workstation 15.x CVE-2020-3966 8.1 Workstation 15.2 Remove USB Controller
Fusion 11.x Fusion 11.2
Workstation 15.x CVE-2020-3965 7.1 Workstation 15.2 Remove USB Controller
Fusion 11.x CVE-2020-3963 Fusion 11.2
CVE-2020-3964
Workstation 15.x CVE-2020-3971 5.9 Workstation 15.0.2 None
Fusion 11.x Fusion 11.0.2
  1. VMware Cloud Foundation
Affected Versions CVE Identifier CVSSv3 Fixed Version Workarounds
4.x CVE-2020-3962 9.3 4.0.1 Disable 3D features on Server and desktop virtual machines

 

3.x CVE-2020-3969 3.10
CVE-2020-3970
4.x CVE-2020-3967 8.1 4.0.1 Remove USB Controller
3.x CVE-2020-3968 3.10
CVE-2020-3966
4.x CVE-2020-3965 7.1 4.0.1 Remove USB Controller
3.x CVE-2020-3963 3.10.0.1
CVE-2020-3964
3.x CVE-2020-3971 5.9 3.7.2 None

Detection:
Qualys customers can scan their network with Following QID’s to detect vulnerable assets

Affected Versions CVE Identifier QID
VMware ESXi 7.0

 

CVE-2020-3962

CVE-2020-3969

CVE-2020-397

CVE-2020-3967

CVE-2020-3968

CVE-2020-3966

CVE-2020-3965

CVE-2020-3963

CVE-2020-3964

QID 216229: VMware ESXi 7.0 Patch Release ESXi_7.0.0-1.20.16321839 Missing (VMSA-2020-0015)
 

VMware ESXi 6.7

 

 

CVE-2020-3962

CVE-2020-3969

CVE-2020-397

CVE-2020-3967

CVE-2020-3968

CVE-2020-3966

QID 216230: VMware ESXi 6.7 Patch Release ESXi670-202004101-SG Missing (VMSA-2020-0015)
VMware ESXi 6.7

 

CVE-2020-3965

CVE-2020-3963

CVE-2020-3964

QID 216232: VMware ESXi 6.7 Patch Release ESXi670-202006401-SG Missing (VMSA-2020-0015)
VMware ESXi 6.7

 

CVE-2020-3971 QID 216231: VMware ESXi 6.7 Patch Release ESXi670-201904101-SG Missing (VMSA-2020-0015)
VMware ESXi 6.5 CVE-2020-3962

CVE-2020-3969

CVE-2020-397

CVE-2020-3967

CVE-2020-3968

CVE-2020-3966

CVE-2020-3965

CVE-2020-3963

CVE-2020-3964

QID 216233: VMware ESXi 6.5 Patch Release ESXi650-202005401-SG Missing (VMSA-2020-0015)

 

VMware ESXi 6.5 CVE-2020-3971 QID 216198: VMware ESXi 6.5 Patch Release ESXi650-201907101-SG Missing (VMSA-2019-0013, VMSA-2020-0015)
Workstation 15.x

Fusion 11.x

 

CVE-2020-3962

CVE-2020-3969

CVE-2020-3970

CVE-2020-3967

CVE-2020-3968

QID 372937: VMware Workstation and VMware Fusion Multiple Vulnerabilities (VMSA-2020-0015)
Workstation 15.x

Fusion 11.x

 

CVE-2020-3966

CVE-2020-3965

CVE-2020-3963

CVE-2020-3964

QID 372938: VMware Workstation and VMware Fusion Multiple Vulnerabilities (VMSA-2020-0015)
Workstation 15.x

Fusion 11.x

 

CVE-2020-3971 QID 372939: VMware Workstation and VMware Fusion Heap Overflow Vulnerability (VMSA-2020-0015)

Please continue to follow Qualys Threat Protection for more coverage on these vulnerabilities.

References & Sources:

https://www.vmware.com/security/advisories/VMSA-2020-0015.html

Leave a Reply

Your email address will not be published. Required fields are marked *