Multiple vulnerabilities in VMware ESXi



Published: 2020-10-20
Risk High
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2020-3981
CVE-2020-3982
CVE-2020-3992
CVE-2020-3995
CWE ID CWE-125
CWE-787
CWE-416
CWE-401
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Vulnerable software
Subscribe
VMware ESXi
Operating systems & Components / Operating system

Vendor VMware, Inc

Security Advisory

1) Out-of-bounds read

Risk: Medium

CVSSv3.1: 5.4 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3981

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition due to a time-of-check time-of-use issue in ACPI device within the implementation of the BDOOR_CMD_PATCH_ACPI_TABLES command. A remote administrator on a guest OS can run a specially crafted program to read memory from the vmx process.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: 6.5, 6.7, 7.0, ESXi650-201903001, ESXi650-201907201-UG, ESXi650-201910401-SG, ESXi650-201911401, ESXi650-201911402, ESXi650-201912001, ESXi650-201912104-SG, ESXi650-202005401-SG, ESXi670-201903001, ESXi670-201904101-SG, ESXi670-201908101-SG, ESXi670-201908201-UG, ESXi670-201911401, ESXi670-201911402, ESXi670-201912001, ESXi670-202004101-SG, ESXi670-202004103-SG, ESXi670-202006401-SG, ESXi_7.0.0-1.20.16321839

CPE External links

https://www.vmware.com/security/advisories/VMSA-2020-0023.html
https://www.zerodayinitiative.com/advisories/ZDI-20-1269/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds write

Risk: High

CVSSv3.1: 7.3 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3982

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error caused by a time-of-check time-of-use issue in ACPI device within the implementation of the BDOOR_CMD_PATCH_ACPI_TABLES command. A remote administrator on the guest OS can run a specially crafted program to trigger a heap-based buffer overflow and crash the system or execute arbitrary code on the hypervisor.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: 6.5, 6.7, 7.0, ESXi650-201903001, ESXi650-201907201-UG, ESXi650-201910401-SG, ESXi650-201911401, ESXi650-201911402, ESXi650-201912001, ESXi650-201912104-SG, ESXi650-202005401-SG, ESXi670-201903001, ESXi670-201904101-SG, ESXi670-201908101-SG, ESXi670-201908201-UG, ESXi670-201911401, ESXi670-201911402, ESXi670-201912001, ESXi670-202004101-SG, ESXi670-202004103-SG, ESXi670-202006401-SG, ESXi_7.0.0-1.20.16321839

CPE External links

https://www.vmware.com/security/advisories/VMSA-2020-0023.html
https://www.zerodayinitiative.com/advisories/ZDI-20-1268/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3992

CWE-ID: CWE-416 - Use After Free

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the OpenSLP service. A remote attacker can can send specially crafted SLP message to port 427/udp, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: 6.5, 6.7, 7.0, ESXi650-201903001, ESXi650-201907201-UG, ESXi650-201910401-SG, ESXi650-201911401, ESXi650-201911402, ESXi650-201912001, ESXi650-201912104-SG, ESXi650-202005401-SG, ESXi670-201903001, ESXi670-201904101-SG, ESXi670-201908101-SG, ESXi670-201908201-UG, ESXi670-201911401, ESXi670-201911402, ESXi670-201912001, ESXi670-202004101-SG, ESXi670-202004103-SG, ESXi670-202006401-SG, ESXi_7.0.0-1.20.16321839

CPE External links

https://www.vmware.com/security/advisories/VMSA-2020-0023.html
https://www.zerodayinitiative.com/advisories/ZDI-20-1269/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory leak

Risk: High

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3995

CWE-ID: CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak within the VMCI host driver. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: 6.5, 6.7, ESXi650-201903001, ESXi650-201907201-UG, ESXi650-201910401-SG, ESXi650-201911401, ESXi650-201911402, ESXi650-201912001, ESXi650-201912104-SG, ESXi650-202005401-SG, ESXi670-201903001, ESXi670-201904101-SG, ESXi670-201908101-SG, ESXi670-201908201-UG, ESXi670-201911401, ESXi670-201911402, ESXi670-201912001, ESXi670-202004101-SG, ESXi670-202004103-SG, ESXi670-202006401-SG

CPE External links

https://www.vmware.com/security/advisories/VMSA-2020-0023.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###