Headline
CVE-2020-3992: VMSA-2020-0023.3
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
Advisory ID: VMSA-2020-0023.3
CVSSv3 Range: 5.9 - 9.8
Issue Date: 2020-10-20
Updated On: 2020-11-24
CVE(s): CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995
Synopsis: VMware ESXi, Workstation, Fusion and NSX-T updates address multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995)
Share this page on social media
Sign up for Security Advisories
****1. Impacted Products****
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
NSX-T
VMware Cloud Foundation
VMware vCenter Server
****2. Introduction****
IMPORTANT: The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely, see section (3a) Notes for an update.
Multiple vulnerabilities in VMware ESXi, Workstation, Fusion and NSX-T were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
****3a. ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)****
OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
To remediate CVE-2020-3992 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds for CVE-2020-3992 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
VMware would like to thank Lucas Leong (@_wmliang_) of Trend Micro’s Zero Day Initiative for reporting this issue to us.
The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely. The ESXi patches listed in the Response Matrix below are updated versions that contain the complete fix for CVE-2020-3992.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
ESXi
7.0
Any
CVE-2020-3992
9.8
critical
ESXi70U1a-17119627
KB76372
None
ESXi
6.7
Any
CVE-2020-3992
9.8
critical
ESXi670-202011301-SG
KB76372
None
ESXi
6.5
Any
CVE-2020-3992
9.8
critical
ESXi650-202011401-SG
KB76372
None
VMware Cloud Foundation (ESXi)
4.x
Any
CVE-2020-3992
9.8
critical
4.1.0.1
KB76372
None.
VMware Cloud Foundation (ESXi)
3.x
Any
CVE-2020-3992
9.8
critical
3.10.1.2
KB76372
None
****3b. NSX-T MITM vulnerability (CVE-2020-3993)****
VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.
To remediate CVE-2020-3993 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
VMware would like to thank Kevin Kelpen of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
NSX-T
3.x
Any
CVE-2020-3993
7.5
important
3.0.2
None
None
NSX-T
2.5.x
Any
CVE-2020-3993
7.5
important
2.5.2.2.0
None
None
VMware Cloud Foundation (NSX-T)
4.x
Any
CVE-2020-3993
7.5
important
4.1
None
None.
VMware Cloud Foundation (NSX-T)
3.x
Any
CVE-2020-3993
7.5
important
3.10.1.1
None.
None
****3c. TOCTOU out-of-bounds read vulnerability (CVE-2020-3981)****
VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.
To remediate CVE-2020-3981 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
VMware would like to thank Reno Robert working with Trend Micro’s Zero Day Initiative for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
ESXi
7.0
Any
CVE-2020-3981
7.1
important
ESXi_7.0.1-0.0.16850804
None.
None
ESXi
6.7
Any
CVE-2020-3981
7.1
important
ESXi670-202008101-SG
None
None
ESXi
6.5
Any
CVE-2020-3981
7.1
important
ESXi650-202007101-SG
None
None
Fusion
12.x
OS X
CVE-2020-3981
N/A
N/A
Unaffected
N/A
N/A
Fusion
11.x
OS X
CVE-2020-3981
7.1
important
11.5.6
None
None
Workstation
16.x
Any
CVE-2020-3981
N/A
N/A
Unaffected
N/A
N/A
Workstation
15.x
Any
CVE-2020-3981
7.1
important
15.5.7
None
None
VMware Cloud Foundation (ESXi)
4.x
Any
CVE-2020-3981
7.1
important
4.1
None
None.
VMware Cloud Foundation (ESXi)
3.x
Any
CVE-2020-3981
7.1
important
3.10.1
None
None
****3d. TOCTOU out-of-bounds write vulnerability (CVE-2020-3982)****
VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.
A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine’s vmx process or corrupt hypervisor’s memory heap.
To remediate CVE-2020-3982 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
VMware would like to thank Reno Robert working with Trend Micro’s Zero Day Initiative for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
ESXi
7.0
Any
CVE-2020-3982
5.9
moderate
ESXi_7.0.1-0.0.16850804
None.
None
ESXi
6.7
Any
CVE-2020-3982
5.9
moderate
ESXi670-202008101-SG
None
None
ESXi
6.5
Any
CVE-2020-3982
5.9
moderate
ESXi650-202007101-SG
None
None
Fusion
12.x
OS X
CVE-2020-3982
N/A
N/A
Unaffected
N/A
N/A
Fusion
11.x
OS X
CVE-2020-3982
5.9
moderate
11.5.6
None
None
Workstation
16.x
Any
CVE-2020-3982
N/A
N/A
Unaffected
N/A
N/A
Workstation
15.x
Any
CVE-2020-3982
5.9
moderate
15.5.7
None
None
VMware Cloud Foundation (ESXi)
4.x
Any
CVE-2020-3982
5.9
moderate
4.1
None
None.
VMware Cloud Foundation (ESXi)
3.x
Any
CVE-2020-3982
5.9
moderate
3.10.1
None
None
****3e. vCenter Server session hijack vulnerability in update function (CVE-2020-3994)****
VMware vCenter Server contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.
To remediate CVE-2020-3994 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
VMware would like to thank Thorsten Tüllmann, Karlsruhe Institute of Technology, for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
vCenter Server
7.0
Any
CVE-2020-3994
N/A
N/A
Unaffected
N/A
N/A
vCenter Server
6.7
Virtual Appliance
CVE-2020-3994
7.5
important
6.7 U3
None
None
vCenter Server
6.7
Windows
CVE-2020-3994
N/A
N/A
Unaffected
N/A
N/A
vCenter Server
6.5
Virtual Appliance
CVE-2020-3994
7.5
important
6.5 U3K
None
None
vCenter Server
6.5
Windows
CVE-2020-3994
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (vCenter Server)
4.x
Any
CVE-2020-3994
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (vCenter Server)
3.x
Any
CVE-2020-3994
7.5
important
3.9.0
None
None
****3f. VMCI host driver memory leak vulnerability (CVE-2020-3995)****
The VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.
To remediate CVE-2020-3995 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
VMware would like to thank Tianwen Tang (VictorV) for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
ESXi
7.0
Any
CVE-2020-3995
N/A
N/A
Unaffected
N/A
N/A
ESXi
6.7
Any
CVE-2020-3995
7.1
important
ESXi670-201908101-SG
None
None
ESXi
6.5
Any
CVE-2020-3995
7.1
important
ESXi650-201907101-SG
None
None
Fusion
11.x
OS X
CVE-2020-3995
7.1
important
11.1.0
None
None
Workstation
15.x
Any
CVE-2020-3995
7.1
important
15.1.0
None
None
VMware Cloud Foundation (ESXi)
4.x
Any
CVE-2020-3995
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (ESXi)
3.x
Any
CVE-2020-3995
7.1
important
3.9.0
None
None
****4. References****
****5. Change Log****
2020-10-20 VMSA-2020-0023
Initial security advisory.
2020-11-04 VMSA-2020-0023.1
Updated patch versions in the response matrix of section (3a) after release of ESXi patches that completed the incomplete fix for CVE-2020-3992 on 2020-11-04.
2020-11-19: VMSA-2020-0023.2
Updated security advisory to add Workstation 15.x version in the response matrix of sections 3© and 3(d).
2020-11-24 VMSA-2020-0023.3
Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of section 3(a).
****6. Contact****
Related news
Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.