VMware has released a new security advisory VMSA-2020-0026: VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005).
Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one critical issue and one important issue.
The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-4004 to the use-after-free vulnerability in XHCI USB controller and CVE-2020-4005 to the VMX elevation-of-privilege vulnerability.
A malicious actor with local administrative privileges on a virtual machine may exploit the use-after-free vulnerability in XHCI USB controller to execute code as the virtual machine’s VMX process running on the host. And then, due to the VMX elevation-of-privilege vulnerability, same malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system.
VMSA-2020-0026 – Affected Products and Resolutions
Following products are affected by both vulnerabilies:
- ESXi 7.0 – install patch ESXi70U1b-17168206
- ESXi 6.7 – install patch ESXi670-202011101-SG
- ESXi 6.5 – install patch ESXi650-202011301-SG
- VMware Cloud Foundation (ESXi) 4.x – update to 184.108.40.206
- VMware Cloud Foundation (ESXi) 3.x – update to 220.127.116.11
Following products are only affected by the use-after-free vulnerability in XHCI USB controller vulnerability:
Fusion 12.x and Workstation 16.x are unaffected by these vulnerabilities.
VMSA-2020-0026 – Workaround
As a workaround for the use-after-free vulnerability in XHCI USB controller you can remove the USB controller from the virtual machines:
- ESXi: Remove a USB controller from a virtual machine
- Fusion/Workstation: Remove the USB Controller on VMware Workstation and VMware Fusion
You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.