VMSA-2020-0026

Critical

Advisory ID:
VMSA-2020-0026.1

CVSSv3 Range:
8.8 – 9.3

Issue Date:
2020-11-19

Updated On:
2020-11-24

CVE(s):
CVE-2020-4004, CVE-2020-4005

Synopsis:
VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005)

1. Impacted Products

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation

2. Introduction

 
Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

3a. Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004)

Description

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.

Resolution

To remediate CVE-2020-4004 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

Workarounds for CVE-2020-4004 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for reporting this issue to us.

Notes

None.

Response Matrix:

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

ESXi

7.0

Any

CVE-2020-4004

9.3

critical

ESXi70U1b-17168206

Remove XHCI (USB 3.x) controller

None

ESXi

6.7

Any

CVE-2020-4004

9.3

critical

ESXi670-202011101-SG

Remove XHCI (USB 3.x) controller

None

ESXi

6.5

Any

CVE-2020-4004

9.3

critical

ESXi650-202011301-SG

Remove XHCI (USB 3.x) controller

None

Fusion

12.x

OS X

CVE-2020-4004

N/A

N/A

Unaffected

N/A

N/A

Fusion

11.x

OS X

CVE-2020-4004

9.3

critical

11.5.7

Remove XHCI (USB 3.x) controller

None

Workstation

16.x

Any

CVE-2020-4004

N/A

N/A

Unaffected

N/A

N/A

Workstation

15.x

Any

CVE-2020-4004

9.3

critical

15.5.7

Remove XHCI (USB 3.x) controller

None

VMware Cloud Foundation (ESXi)

4.x

Any

CVE-2020-4004

9.3

critical

4.1.0.1

Remove XHCI (USB 3.x) controller

None.

VMware Cloud Foundation (ESXi)

3.x

Any

CVE-2020-4004

9.3

critical

3.10.1.2

Remove XHCI (USB 3.x) controller

None

3b. VMX elevation-of-privilege vulnerability (CVE-2020-4005)

Description

VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

Known Attack Vectors

A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability (e.g. CVE-2020-4004).

Resolution

To remediate CVE-2020-4005 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest for reporting this issue to us.

Notes

None.

Response Matrix:

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

ESXi

7.0

Any

CVE-2020-4005

8.8

important

ESXi70U1b-17168206

None

None

ESXi

6.7

Any

CVE-2020-4005

8.8

important

ESXi670-202011101-SG

None

None

ESXi

6.5

Any

CVE-2020-4005

8.8

important

ESXi650-202011301-SG

None

None

VMware Cloud Foundation (ESXi)

4.x

Any

CVE-2020-4005

8.8

important

4.1.0.1

None

None

VMware Cloud Foundation (ESXi)

3.x

Any

CVE-2020-4005

8.8

important

3.10.1.2

None

None

4. References

VMware ESXi 7.0 ESXi70U1b-17168206Downloads and Documentation:https://my.vmware.com/group/vmware/patchhttps://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1b.html
VMware ESXi 6.7 ESXi670-202011101-SGDownloads and Documentation:https://my.vmware.com/group/vmware/patchhttps://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202011002.html
VMware ESXi 6.5 ESXi650-202011301-SGDownloads and Documentation:https://my.vmware.com/group/vmware/patchhttps://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202011002.html
VMware Workstation Pro 15.5.7 Downloads and Documentation:https://www.vmware.com/go/downloadworkstationhttps://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.7Downloads and Documentation:https://www.vmware.com/go/downloadplayerhttps://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.7Downloads and Documentation:https://www.vmware.com/go/downloadfusionhttps://docs.vmware.com/en/VMware-Fusion/index.html
VMware vCloud Foundation 4.1.0.1https://docs.vmware.com/en/VMware-Cloud-Foundation/4.1/rn/VMware-Cloud-Foundation-41-Release-Notes.html#4.1.0.1
VMware vCloud Foundation 3.10.1.2https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html#3.10.1.2
Mitre CVE Dictionary Links:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4004https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4005
FIRST CVSSv3 Calculator:CVE-2020-4004 – https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2020-4005 – https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

5. Change Log

2020-11-19 VMSA-2020-0026 Initial security advisory.
 
2020-11-24 VMSA-2020-0026.1 Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of sections 3(a) and 3(b).

6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 
 
This Security Advisory is posted to the following lists:  
security-announce@lists.vmware.com  
bugtraq@securityfocus.com  
fulldisclosure@seclists.org 
 
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055 
 
VMware Security Advisories
https://www.vmware.com/security/advisories 
 
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 
 
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 
 
VMware Security & Compliance Blog  
https://blogs.vmware.com/security 
 
Twitter

 
Copyright 2020 VMware Inc. All rights reserved.  VMware Security AdvisoryRead More