VMware Security Advisory

VMSA-2020-0023 – VMware ESXi, Workstation, Fusion and NSX-T Vulnerabilities

Constantin Ghioc VMware

VMware has released a new security advisory VMSA-2020-0023: VMware ESXi, Workstation, Fusion, NSX-T, and vCenter Server Appliance updates address multiple security vulnerabilities. VMware Cloud Foundation is also an impacted product.

ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)

OpenSLP as used in ESXi has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. If you can’t upgrade to the fixed version, as a workaround you can disable CIM server, documented in VMware KB 76372.

Affected products:

  • ESXi 7.0 – update to ESXi_7.0.1-0.0.16850804
  • ESXi 6.7 – update to ESXi670-202010401-SG
  • ESXi 6.5 – update to ESXi650-202010401-SG
  • VMware Cloud Foundation 4.x – update to 4.1
  • VMware Cloud Foundation 3.x – update to 3.10.1.1

NSX-T MITM vulnerability (CVE-2020-3993)

VMSA-2020-0023 documents an NSX-T security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. A malicious actor with man-in-the-middle positioning may be able to exploit this issue to compromise the transport node.

Affected products:

  • NSX-T 3.x – update to 3.0.2
  • NSX-T 2.5.x – update to 2.5.2.2.0
  • VMware Cloud Foundation 4.x – update to 4.1
  • VMware Cloud Foundation 3.x – update to 3.10.1.1

TOCTOU out-of-bounds read vulnerability (CVE-2020-3981)

VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in ACPI device. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process. 

Affected products:

  • ESXi 7.0 – update to ESXi_7.0.1-0.0.16850804
  • ESXi 6.7 – update to ESXi670-202008101-SG
  • ESXi 6.5 – update to ESXi650-202007101-SG
  • Fusion 11.x – update to 11.5.6
  • Workstation 15.x – patch pending
  • VMware Cloud Foundation 4.x – update to 4.1
  • VMware Cloud Foundation 3.x – update to 3.10.1

As documented by VMSA-2020-0023, Fusion 12.x and Workstation 16.x are not affected by this vulnerability.

TOCTOU out-of-bounds write vulnerability (CVE-2020-3982)

VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine’s vmx process or corrupt hypervisor’s memory heap.

Affected products:

  • ESXi 7.0 – update to ESXi_7.0.1-0.0.16850804
  • ESXi 6.7 – update to ESXi670-202008101-SG
  • ESXi 6.5 – update to ESXi650-202007101-SG
  • Fusion 11.x – update to 11.5.6
  • Workstation 15.x – patch pending
  • VMware Cloud Foundation 4.x – update to 4.1
  • VMware Cloud Foundation 3.x – update to 3.10.1

Fusion 12.x and Workstation 16.x are not affected by this vulnerability.

vCenter Server session hijack vulnerability in update function (CVE-2020-3994)

VMSA-2020-0023 documents a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.

Affected products:

  • vCenter Server 6.7 virtual appliance – update to 6.7 Update 3
  • vCenter Server 6.5 virtual appliance – update to 6.5 Update 3K
  • VMware Cloud Foundation 3.x – update to 3.9.0

vCenter Server 7.0, vCenter Server 6.7 running on Windows, vCenter Server 6.5 running on Windows, and VMware Cloud Foundation 4.x are not affected by this vulnerability.

VMCI host driver memory leak vulnerability (CVE-2020-3995)

The VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.

Affected products:

  • ESXi 6.7 – update to ESXi670-202008101-SG
  • ESXi 6.5 – update to ESXi650-202007101-SG
  • Fusion 11.x – update to 11.1.0
  • Workstation 15.x – 15.1.0
  • VMware Cloud Foundation 3.x – update to 3.9.0

ESXi 7.0, VMware Cloud Foundation 4.x, Fusion 12.x, and Workstation 16.x are not affected by this vulnerability.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

Image by Pete Linforth from Pixabay.

Constantin Ghioc

I usually play with vSphere API, Ansible, vRealize Automation, vRealize Orchestrator, and different AWS tools. In my other life I’m a husband and a father, an amateur photographer and a Go enthusiast.

Leave a Reply