VMware Security Advisory

VMSA-2020-0026 – ESXi, Workstation, and Fusion Vulnerabilities

VMware has released a new security advisory VMSA-2020-0026: VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005).

Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one critical issue and one important issue.

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-4004 to the use-after-free vulnerability in XHCI USB controller and CVE-2020-4005 to the VMX elevation-of-privilege vulnerability.

A malicious actor with local administrative privileges on a virtual machine may exploit the use-after-free vulnerability in XHCI USB controller to execute code as the virtual machine’s VMX process running on the host. And then, due to the VMX elevation-of-privilege vulnerability, same malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system.

VMSA-2020-0026 – Affected Products and Resolutions

Following products are affected by both vulnerabilies:

Following products are only affected by the use-after-free vulnerability in XHCI USB controller vulnerability:

Fusion 12.x and Workstation 16.x are unaffected by these vulnerabilities.

VMSA-2020-0026 – Workaround

As a workaround for the use-after-free vulnerability in XHCI USB controller you can remove the USB controller from the virtual machines:

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

Constantin Ghioc

I usually play with vSphere API, Ansible, vRealize Automation, vRealize Orchestrator, and different AWS tools. In my other life I’m a husband and a father, an amateur photographer and a Go enthusiast.

Leave a Reply