CVE-2020-3965: VMSA-2020-0015

Advisory ID: VMSA-2020-0015.2

CVSSv3 Range: 4.0 - 9.3

Issue Date: 2020-06-23

Updated On: 2020-07-02

CVE(s): CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971

Synopsis: VMware Cloud Foundation, ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971)

Share this page on social media

Sign up for Security Advisories

****1. Impacted Products****

• VMware ESXi
• VMware Workstation Pro / Player (Workstation)
• VMware Fusion Pro / Fusion (Fusion)
• VMware Cloud Foundation

****2. Introduction****

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products as well as workarounds.

****3a. Use-after-free vulnerability in SVGA device (CVE-2020-3962)****

VMware ESXi, Workstation and Fusion contain a Use-after-free vulnerability in the SVGA device. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine.

To remediate CVE-2020-3962 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds for CVE-2020-3962 have been been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) from Synacktiv (@Synacktiv) working with Trend Micro’s Zero Day Initiative for reporting this issue to us.

[1] 3D graphics are not enabled by default on ESXi.
[2] 3D graphics are enabled by default on Workstation and Fusion.

****3b. Off-by-one heap-overflow vulnerability in SVGA device (CVE-2020-3969)****

VMware ESXi, Workstation and Fusion contain an off-by-one heap-overflow vulnerability in the SVGA device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker’s control must be present for exploitation to be possible.

To remediate CVE-2020-3969 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds for CVE-2020-3969 have been been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) from Synacktiv (@Synacktiv) working with Trend Micro’s Zero Day Initiative for reporting this issue to us.

[1] 3D graphics are not enabled by default on ESXi.
[2] 3D graphics are enabled by default on Workstation and Fusion.
[3] CVE-2020-3969 does not affect the ESXi 6.7 or 6.5 release lines.

****3c. Out-of-bound read issue in Shader Functionality (CVE-2020-3970)****

VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability in the Shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.0.

A malicious actor with non-administrative local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to crash the virtual machine’s vmx process leading to a partial denial of service condition.

To remediate CVE-2020-3970 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds for CVE-2020-3970 have been been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Wei Lei and anhdaden of STAR Labs working with Trend Micro Zero Day Initiative for reporting this issue to us.

[1] 3D graphics are not enabled by default on ESXi.
[2] 3D graphics are enabled by default on Workstation and Fusion.

Response Matrix - 3a, 3b, 3c

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi[1]

7.0

Any

CVE-2020-3962, CVE-2020-3969, CVE-2020-3970

9.3

critical

ESXi_7.0.0-1.20.16321839

See Item 34

None

ESXi[1]

6.7

Any

CVE-2020-3962, [3]CVE-2020-3969, CVE-2020-3970

9.3

critical

ESXi670-202004101-SG

See Item 34

None

ESXi[1]

6.5

Any

CVE-2020-3962, [3]CVE-2020-3969, CVE-2020-3970

9.3

critical

ESXi650-202005401-SG

See Item 34

None

Fusion[2]

11.x

Any

CVE-2020-3962, CVE-2020-3969, CVE-2020-3970

9.3

critical

11.5.5

KB59146

None

Workstation[2]

15.x

Any

CVE-2020-3962, CVE-2020-3969, CVE-2020-3970

9.3

critical

15.5.5

KB59146

None

VMware Cloud Foundation

4.x

Any

CVE-2020-3962, CVE-2020-3969, CVE-2020-3970

9.3

critical

4.0.1

See Item 34

None

VMware Cloud Foundation

3.x

Any

CVE-2020-3962, [3]CVE-2020-3969 CVE-2020-3970

9.3

critical

3.10

See Item 34

None

****3d. Heap-overflow issue in EHCI controller (CVE-2020-3967)****

VMware ESXi, Workstation and Fusion contain a heap-overflow vulnerability in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

A malicious actor with local access to a virtual machine may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker’s control must be present for exploitation to be possible.

To remediate CVE-2020-3967 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds for CVE-2020-3967 have been been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us.

****3e. Out-of-bounds write vulnerability in xHCI controller (CVE-2020-3968)****

VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability in the USB 3.0 controller (xHCI). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to crash the virtual machine’s vmx process leading to a denial of service condition or execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker’s control must be present for exploitation to be possible.

To remediate CVE-2020-3968 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds for CVE-2020-3968 have been been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us.

****3f. Heap-overflow due to race condition in EHCI controller (CVE-2020-3966)****

VMware ESXi, Workstation and Fusion contain a heap-overflow due to a race condition issue in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

A malicious actor with local access to a virtual machine may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker’s control must be present for exploitation to be possible.

To remediate CVE-2020-3966 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds for CVE-2020-3966 have been been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Reno Robert working with Trend Micro Zero Day Initiative for reporting this issue to us.

****3g. Information leak in the XHCI USB controller (CVE-2020-3965)****

VMware ESXi, Workstation and Fusion contain an information leak in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

A malicious actor with local access to a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

To remediate CVE-2020-3965 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds for CVE-2020-3965 have been been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Cfir Cohen of Google Cloud security for reporting this issue to us.

****3h. Information Leak in the EHCI USB controller (CVE-2020-3964)****

VMware ESXi, Workstation and Fusion contain an information leak in the EHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 5.9.

A malicious actor with local access to a virtual machine may be able to read privileged information contained in the hypervisor’s memory. Additional conditions beyond the attacker’s control need to be present for exploitation to be possible.

To remediate CVE-2020-3964 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds for CVE-2020-3964 have been been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Cfir Cohen of Google Cloud security for reporting this issue to us.

****3i. Use-after-free vulnerability in PVNVRAM (CVE-2020-3963)****

VMware ESXi, Workstation and Fusion contain a Use-after-free vulnerability in PVNVRAM. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

A malicious actor with local access to a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. Additional conditions beyond the attacker’s control need to be present for exploitation to be possible.

To remediate CVE-2020-3963 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

VMware would like to thank Cfir Cohen of Google Cloud security for reporting this issue to us.

[4]The workarounds documented in the Response Matrix below are not applicable to CVE-2020-3963.

Response Matrix - 3g, 3h, 3i

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi

7.0

Any

CVE-2020-3965, CVE-2020-3963, CVE-2020-3964

7.1

important

ESXi_7.0.0-1.20.16321839

[4]Remove USB Controller

None

ESXi

6.7

Any

CVE-2020-3965, CVE-2020-3963, CVE-2020-3964

7.1

important

ESXi670-202006401-SG

[4]Remove USB Controller

None

ESXi

6.5

Any

CVE-2020-3965, CVE-2020-3963, CVE-2020-3964

7.1

important

ESXi650-202005401-SG

[4]Remove USB Controller

None

Fusion

11.x

Any

CVE-2020-3965, CVE-2020-3963, CVE-2020-3964

7.1

important

11.5.2

[4]Remove USB Controller

None

Workstation

15.x

Any

CVE-2020-3965, CVE-2020-3963, CVE-2020-3964

7.1

important

15.5.2

[4]Remove USB Controller

None

VMware Cloud Foundation

4.x

Any

CVE-2020-3965, CVE-2020-3963, CVE-2020-3964

7.1

important

4.0.1

[4]Remove USB Controller

None

VMware Cloud Foundation

3.x

Any

CVE-2020-3965, CVE-2020-3963, CVE-2020-3964

7.1

important

3.10.0.1

[4]Remove USB Controller

None

****3j. Heap overflow vulnerability in vmxnet3 (CVE-2020-3971)****

VMware ESXi, Fusion and Workstation contain a heap overflow vulnerability in the vmxnet3 virtual network adapter. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

A malicious actor with local access to a virtual machine with a vmxnet3 network adapter present may be able to read privileged information contained in hypervisor memory from a virtual machine. Additional conditions beyond the attacker’s control need to be present for exploitation to be possible.

To remediate CVE-2020-3971 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

VMware would like to thank Tianwen Tang(VictorV) of Qihoo 360Vulcan Team for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi

7.0

Any

CVE-2020-3971

N/A

N/A

Unaffected

N/A

N/A

ESXi

6.7

Any

CVE-2020-3971

5.9

moderate

ESXi670-201904101-SG

None.

None

ESXi

6.5

Any

CVE-2020-3971

5.9

moderate

ESXi650-201907101-SG

None

None

Fusion

11.x

Any

CVE-2020-3971

5.9

moderate

11.0.2

None

None

Workstation

15.x

Any

CVE-2020-3971

5.9

moderate

15.0.2

None

None

VMware Cloud Foundation

4.x

Any

CVE-2020-3971

N/A

N/A

Unaffected

None

None

VMware Cloud Foundation

3.x

Any

CVE-2020-3971

5.9

moderate

3.7.2

None

None

****4. References****

****5. Change Log****

2020-06-23 VMSA-2020-0015
Initial security advisory.

2020-06-25 VMSA-2020-0015.1

Updated advisory with remediation information for the VMware Cloud Foundation 4.x release line.

2020-07-02 VMSA-2020-0015.2

Updated advisory with remediation information for the VMware Cloud Foundation 3.x release line.

****6. Contact****