Multiple vulnerabilities in VMware ESXi, Fusion, Workstation and Cloud Foundation



Published: 2020-06-25 | Updated: 2020-07-01
Risk Low
Patch available YES
Number of vulnerabilities 5
CVE ID CVE-2020-3967
CVE-2020-3968
CVE-2020-3970
CVE-2020-3969
CVE-2020-3962
CWE ID CWE-122
CWE-787
CWE-125
CWE-193
CWE-416
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
VMware ESXi
Operating systems & Components / Operating system

VMware Fusion
Client/Desktop applications / Virtualization software

VMware Workstation
Client/Desktop applications / Virtualization software

Cloud Foundation
Client/Desktop applications / Virtualization software

Vendor VMware, Inc

Security Advisory

Updated: 01.07.2020

Updated description of vulnerabilities and provided links to ZDI.

1) Heap-based buffer overflow

Risk: Low

CVSSv3: 7.1 [CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3967

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to a boundary error in EHCI controller. A local attacker can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: 6.5, 6.7, 7.0

VMware Fusion: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.1.0, 11.1.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3

VMware Workstation: 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.5.0, 15.5.1, 15.5.2

Cloud Foundation: 3.0, 3.0.1, 3.0.1.1, 3.5, 3.5.1, 3.7, 3.7.1, 3.7.2, 3.8, 3.9, 3.9.1, 4.0

CPE External links

https://exchange.xforce.ibmcloud.com/vulnerabilities/183922
https://www.zerodayinitiative.com/advisories/ZDI-20-784/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds write

Risk: Low

CVSSv3: 7.1 [CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3968

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing untrusted input in xHCI controller. A local attacker can trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: 6.5, 6.7, 7.0

VMware Fusion: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.1.0, 11.1.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3

VMware Workstation: 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.5.0, 15.5.1, 15.5.2

Cloud Foundation: 3.0, 3.0.1, 3.0.1.1, 3.5, 3.5.1, 3.7, 3.7.1, 3.7.2, 3.8, 3.9, 3.9.1, 4.0

CPE External links

https://www.zerodayinitiative.com/advisories/ZDI-20-781/
https://www.vmware.com/security/advisories/VMSA-2020-0015.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Out-of-bounds read

Risk: Low

CVSSv3: 6.2 [CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3970

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the Shader functionality. A local attacker can trigger out-of-bounds read error and cause a denial of service condition on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: 6.5, 6.7, 7.0

VMware Fusion: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.1.0, 11.1.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3

VMware Workstation: 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.5.0, 15.5.1, 15.5.2

Cloud Foundation: 3.0, 3.0.1, 3.0.1.1, 3.5, 3.5.1, 3.7, 3.7.1, 3.7.2, 3.8, 3.9, 3.9.1, 4.0

CPE External links

https://www.vmware.com/security/advisories/VMSA-2020-0015.html
https://www.zerodayinitiative.com/advisories/ZDI-20-782/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Off-by-one

Risk: Low

CVSSv3: 8.1 [CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3969

CWE-ID: CWE-193 - Off-by-one Error

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to an off-by-one error in SVGA device when processing SVGA3D commands. A local attacker can trigger an off-by-one error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: 7.0

VMware Fusion: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.1.0, 11.1.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3

VMware Workstation: 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.5.0, 15.5.1, 15.5.2

Cloud Foundation: 3.0, 3.0.1, 3.0.1.1, 3.5, 3.5.1, 3.7, 3.7.1, 3.7.2, 3.8, 3.9, 3.9.1, 4.0

CPE External links

https://www.vmware.com/security/advisories/VMSA-2020-0015.html
https://www.zerodayinitiative.com/advisories/ZDI-20-786/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use-after-free

Risk: Low

CVSSv3: 8.1 [CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3962

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in the SVGA device when processing SVGA DXInvalidateContext command. A local attacker can execute arbitrary code on the hypervisor from a virtual machine.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: 6.5, 6.7, 7.0

VMware Fusion: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.1.0, 11.1.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3

VMware Workstation: 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.5.0, 15.5.1, 15.5.2

Cloud Foundation: 3.0, 3.0.1, 3.0.1.1, 3.5, 3.5.1, 3.7, 3.7.1, 3.7.2, 3.8, 3.9, 3.9.1, 4.0

CPE External links

https://www.vmware.com/security/advisories/VMSA-2020-0015.html
https://www.zerodayinitiative.com/advisories/ZDI-20-785/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.