Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-3992: VMSA-2020-0023.3

OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

CVE
Open in Source
#vulnerability#mac#windows#rce#vmware#zero_day

Advisory ID: VMSA-2020-0023.3

CVSSv3 Range: 5.9 - 9.8

Issue Date: 2020-10-20

Updated On: 2020-11-24

CVE(s): CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995

Synopsis: VMware ESXi, Workstation, Fusion and NSX-T updates address multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995)

Share this page on social media

Sign up for Security Advisories

****1. Impacted Products****

  • VMware ESXi

  • VMware Workstation Pro / Player (Workstation)

  • VMware Fusion Pro / Fusion (Fusion)

  • NSX-T

  • VMware Cloud Foundation

  • VMware vCenter Server

****2. Introduction****

IMPORTANT: The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely, see section (3a) Notes for an update.

Multiple vulnerabilities in VMware ESXi, Workstation, Fusion and NSX-T were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)****

OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

To remediate CVE-2020-3992 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds for CVE-2020-3992 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Lucas Leong (@_wmliang_) of Trend Micro’s Zero Day Initiative for reporting this issue to us.

The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely. The ESXi patches listed in the Response Matrix below are updated versions that contain the complete fix for CVE-2020-3992.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi

7.0

Any

CVE-2020-3992

9.8

critical

ESXi70U1a-17119627

KB76372

None

ESXi

6.7

Any

CVE-2020-3992

9.8

critical

ESXi670-202011301-SG

KB76372

None

ESXi

6.5

Any

CVE-2020-3992

9.8

critical

ESXi650-202011401-SG

KB76372

None

VMware Cloud Foundation (ESXi)

4.x

Any

CVE-2020-3992

9.8

critical

4.1.0.1

KB76372

None.

VMware Cloud Foundation (ESXi)

3.x

Any

CVE-2020-3992

9.8

critical

3.10.1.2

KB76372

None

****3b. NSX-T MITM vulnerability (CVE-2020-3993)****

VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.

To remediate CVE-2020-3993 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

VMware would like to thank Kevin Kelpen of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

NSX-T

3.x

Any

CVE-2020-3993

7.5

important

3.0.2

None

None

NSX-T

2.5.x

Any

CVE-2020-3993

7.5

important

2.5.2.2.0

None

None

VMware Cloud Foundation (NSX-T)

4.x

Any

CVE-2020-3993

7.5

important

4.1

None

None.

VMware Cloud Foundation (NSX-T)

3.x

Any

CVE-2020-3993

7.5

important

3.10.1.1

None.

None

****3c. TOCTOU out-of-bounds read vulnerability (CVE-2020-3981)****

VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

To remediate CVE-2020-3981 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

VMware would like to thank Reno Robert working with Trend Micro’s Zero Day Initiative for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi

7.0

Any

CVE-2020-3981

7.1

important

ESXi_7.0.1-0.0.16850804

None.

None

ESXi

6.7

Any

CVE-2020-3981

7.1

important

ESXi670-202008101-SG

None

None

ESXi

6.5

Any

CVE-2020-3981

7.1

important

ESXi650-202007101-SG

None

None

Fusion

12.x

OS X

CVE-2020-3981

N/A

N/A

Unaffected

N/A

N/A

Fusion

11.x

OS X

CVE-2020-3981

7.1

important

11.5.6

None

None

Workstation

16.x

Any

CVE-2020-3981

N/A

N/A

Unaffected

N/A

N/A

Workstation

15.x

Any

CVE-2020-3981

7.1

important

15.5.7

None

None

VMware Cloud Foundation (ESXi)

4.x

Any

CVE-2020-3981

7.1

important

4.1

None

None.

VMware Cloud Foundation (ESXi)

3.x

Any

CVE-2020-3981

7.1

important

3.10.1

None

None

****3d. TOCTOU out-of-bounds write vulnerability (CVE-2020-3982)****

VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine’s vmx process or corrupt hypervisor’s memory heap.

To remediate CVE-2020-3982 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

VMware would like to thank Reno Robert working with Trend Micro’s Zero Day Initiative for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi

7.0

Any

CVE-2020-3982

5.9

moderate

ESXi_7.0.1-0.0.16850804

None.

None

ESXi

6.7

Any

CVE-2020-3982

5.9

moderate

ESXi670-202008101-SG

None

None

ESXi

6.5

Any

CVE-2020-3982

5.9

moderate

ESXi650-202007101-SG

None

None

Fusion

12.x

OS X

CVE-2020-3982

N/A

N/A

Unaffected

N/A

N/A

Fusion

11.x

OS X

CVE-2020-3982

5.9

moderate

11.5.6

None

None

Workstation

16.x

Any

CVE-2020-3982

N/A

N/A

Unaffected

N/A

N/A

Workstation

15.x

Any

CVE-2020-3982

5.9

moderate

15.5.7

None

None

VMware Cloud Foundation (ESXi)

4.x

Any

CVE-2020-3982

5.9

moderate

4.1

None

None.

VMware Cloud Foundation (ESXi)

3.x

Any

CVE-2020-3982

5.9

moderate

3.10.1

None

None

****3e. vCenter Server session hijack vulnerability in update function (CVE-2020-3994)****

VMware vCenter Server contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.

To remediate CVE-2020-3994 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

VMware would like to thank Thorsten Tüllmann, Karlsruhe Institute of Technology, for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vCenter Server

7.0

Any

CVE-2020-3994

N/A

N/A

Unaffected

N/A

N/A

vCenter Server

6.7

Virtual Appliance

CVE-2020-3994

7.5

important

6.7 U3

None

None

vCenter Server

6.7

Windows

CVE-2020-3994

N/A

N/A

Unaffected

N/A

N/A

vCenter Server

6.5

Virtual Appliance

CVE-2020-3994

7.5

important

6.5 U3K

None

None

vCenter Server

6.5

Windows

CVE-2020-3994

N/A

N/A

Unaffected

N/A

N/A

VMware Cloud Foundation (vCenter Server)

4.x

Any

CVE-2020-3994

N/A

N/A

Unaffected

N/A

N/A

VMware Cloud Foundation (vCenter Server)

3.x

Any

CVE-2020-3994

7.5

important

3.9.0

None

None

****3f. VMCI host driver memory leak vulnerability (CVE-2020-3995)****

The VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.

To remediate CVE-2020-3995 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

VMware would like to thank Tianwen Tang (VictorV) for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi

7.0

Any

CVE-2020-3995

N/A

N/A

Unaffected

N/A

N/A

ESXi

6.7

Any

CVE-2020-3995

7.1

important

ESXi670-201908101-SG

None

None

ESXi

6.5

Any

CVE-2020-3995

7.1

important

ESXi650-201907101-SG

None

None

Fusion

11.x

OS X

CVE-2020-3995

7.1

important

11.1.0

None

None

Workstation

15.x

Any

CVE-2020-3995

7.1

important

15.1.0

None

None

VMware Cloud Foundation (ESXi)

4.x

Any

CVE-2020-3995

N/A

N/A

Unaffected

N/A

N/A

VMware Cloud Foundation (ESXi)

3.x

Any

CVE-2020-3995

7.1

important

3.9.0

None

None

****4. References****

****5. Change Log****

2020-10-20 VMSA-2020-0023
Initial security advisory.

2020-11-04 VMSA-2020-0023.1
Updated patch versions in the response matrix of section (3a) after release of ESXi patches that completed the incomplete fix for CVE-2020-3992 on 2020-11-04.

2020-11-19: VMSA-2020-0023.2

Updated security advisory to add Workstation 15.x version in the response matrix of sections 3© and 3(d).

2020-11-24 VMSA-2020-0023.3
Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of section 3(a).

****6. Contact****

Related news

Keep Tier-One Applications Out of Virtual Environments

Crafty bad actors can infect all of an organization's virtual machines at once, rendering tier-one applications useless.

'MichaelKors' Showcases Ransomware's Fashionable VMware ESXi Hypervisor Trend

Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE