Multiple vulnerabilities in VMware ESXi, Fusion, Workstation and Cloud Foundation
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2020-3967 CVE-2020-3968 CVE-2020-3970 CVE-2020-3969 CVE-2020-3962 |
| CWE-ID | CWE-122 CWE-787 CWE-125 CWE-193 CWE-416 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
VMware ESXi Operating systems & Components / Operating system VMware Fusion Client/Desktop applications / Virtualization software VMware Workstation Client/Desktop applications / Virtualization software Cloud Foundation Client/Desktop applications / Virtualization software |
| Vendor | VMware, Inc |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
Updated: 01.07.2020
Updated description of vulnerabilities and provided links to ZDI.
1) Heap-based buffer overflow
EUVDB-ID: #VU29298
Risk: Low
CVSSv4.0: 4.8 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-3967
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error in EHCI controller. A local attacker can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVMware ESXi: 6.5 - 7.0
VMware Fusion: 11.0.0 - 11.5.3
VMware Workstation: 15.0.0 - 15.5.2
Cloud Foundation: 3.0 - 4.0
CPE2.3- cpe:2.3:o:vmware:vmware_esxi:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:vmware_esxi:6.7:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:vmware_esxi:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_cloud_foundation:3.0:*:*:*:*:*:*:*
https://exchange.xforce.ibmcloud.com/vulnerabilities/183922
https://www.zerodayinitiative.com/advisories/ZDI-20-784/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU29297
Risk: Low
CVSSv4.0: 4.8 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-3968
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing untrusted input in xHCI controller. A local attacker can trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVMware ESXi: 6.5 - 7.0
VMware Fusion: 11.0.0 - 11.5.3
VMware Workstation: 15.0.0 - 15.5.2
Cloud Foundation: 3.0 - 4.0
CPE2.3- cpe:2.3:o:vmware:vmware_esxi:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:vmware_esxi:6.7:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:vmware_esxi:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_cloud_foundation:3.0:*:*:*:*:*:*:*
https://www.zerodayinitiative.com/advisories/ZDI-20-781/
https://www.vmware.com/security/advisories/VMSA-2020-0015.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU29296
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-3970
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in the Shader functionality. A local attacker can trigger out-of-bounds read error and cause a denial of service condition on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVMware ESXi: 6.5 - 7.0
VMware Fusion: 11.0.0 - 11.5.3
VMware Workstation: 15.0.0 - 15.5.2
Cloud Foundation: 3.0 - 4.0
CPE2.3- cpe:2.3:o:vmware:vmware_esxi:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:vmware_esxi:6.7:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:vmware_esxi:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_cloud_foundation:3.0:*:*:*:*:*:*:*
https://www.vmware.com/security/advisories/VMSA-2020-0015.html
https://www.zerodayinitiative.com/advisories/ZDI-20-782/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Off-by-one
EUVDB-ID: #VU29295
Risk: Low
CVSSv4.0: 6.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-3969
CWE-ID:
CWE-193 - Off-by-one Error
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an off-by-one error in SVGA device when processing SVGA3D commands. A local attacker can trigger an off-by-one error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVMware ESXi: 7.0
VMware Fusion: 11.0.0 - 11.5.3
VMware Workstation: 15.0.0 - 15.5.2
Cloud Foundation: 3.0 - 4.0
CPE2.3- cpe:2.3:o:vmware:vmware_esxi:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_cloud_foundation:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_cloud_foundation:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_cloud_foundation:3.0.1.1:*:*:*:*:*:*:*
https://www.vmware.com/security/advisories/VMSA-2020-0015.html
https://www.zerodayinitiative.com/advisories/ZDI-20-786/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU29294
Risk: Low
CVSSv4.0: 6.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-3962
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the SVGA device when processing SVGA DXInvalidateContext command. A local attacker can execute arbitrary code on the hypervisor from a virtual machine.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVMware ESXi: 6.5 - 7.0
VMware Fusion: 11.0.0 - 11.5.3
VMware Workstation: 15.0.0 - 15.5.2
Cloud Foundation: 3.0 - 4.0
CPE2.3- cpe:2.3:o:vmware:vmware_esxi:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:vmware_esxi:6.7:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:vmware_esxi:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:11.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:15.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_cloud_foundation:3.0:*:*:*:*:*:*:*
https://www.vmware.com/security/advisories/VMSA-2020-0015.html
https://www.zerodayinitiative.com/advisories/ZDI-20-785/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
