VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system.
VMware Security Advisory
The vulnerability was discovered by Qihoo 360 Vulcan Team at the 2020 Tianfu Cup Pwn Contest held earlier this month in China.
Firstly, The vulnerability was described: CVE-2020-4004, CVE-2020-4005, CVE-2020-4006.
Secondly, Below are the list of affected VMware products:
- VMware Workspace One Access (versions 20.01 and 20.10 for Linux and Windows)
- Workspace One Access Connector (versions 20.10, 20.01.0.0, and 20.01.0.1 for Windows)
- VMware Identity Manager (versions 3.3.1, 3.3.2, and 3.3.3 for Linux and Windows)
- Identity Manager Connector (versions 3.3.1, 3.3.2 for Linux and 3.3.1, 3.3.2, 3.3.3 for Windows)
- VMware Cloud Foundation (versions 4.x for Linux and Windows)
- vRealize Suite Lifecycle Manager (versions 8.x for Linux and Windows)
CVE-2020-4004 — Use-after-free Vulnerability in XHCI USB Controller
Description:
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.
Because of which a malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
CVSS Score:
Score 9.3
Fixed Versions:
| Product | Version | Running On | Fixed Version | Workarounds |
| ESXi | 7 | Any | ESXi70U1b-17168206 | Remove XHCI (USB 3.x) controller |
| ESXi | 6.7 | Any | ESXi670-202011101-SG | Remove XHCI (USB 3.x) controller |
| ESXi | 6.5 | Any | ESXi650-202011301-SG | Remove XHCI (USB 3.x) controller |
| Fusion | 11.x | OS X | 11.5.7 | Remove XHCI (USB 3.x) controller |
| Workstation | 15.x | Any | 15.5.7 | Remove XHCI (USB 3.x) controller |
| VMware Cloud Foundation (ESXi) | 4.x | Any | Patch Pending | Remove XHCI (USB 3.x) controller |
| VMware Cloud Foundation (ESXi) | 3.x | Any | Patch Pending | Remove XHCI (USB 3.x) controller |
CVE-2020-4005 — VMX elevation-of-privilege Vulnerability
Description:
VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed.
However, A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability (e.g. CVE-2020-4004).
CVSS Score:
Score 8.8
Fixed Versions:
| Product | Version | Running On | Fixed Version | Workarounds |
| ESXi | 7 | Any | ESXi70U1b-17168206 | Any |
| ESXi | 6.7 | Any | ESXi670-202011101-SG | Any |
| ESXi | 6.5 | Any | ESXi650-202011301-SG | Any |
| VMware Cloud Foundation (ESXi) | 4.x | Any | Patch pending | Any |
| VMware Cloud Foundation (ESXi) | 3.x | Any | Patch Pending | Any |
CVE-2020-4006 — Command Injection Vulnerability
Description:
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector contain a Command Injection Vulnerability in the administrative configurator.
However, A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system.
CVSS Score:
Score 9.1
Fixed versions:
| Product | Version | Running On | Fixed Version | Workarounds |
| Access | 20.1 | Linux | Patch Pending | KB81731 |
| Access | 20.01 | Linux | Patch Pending | KB81731 |
| vIDM | 3.3.3 | Linux | Patch Pending | KB81731 |
| vIDM | 3.3.2 | Linux | Patch Pending | KB81731 |
| vIDM | 3.3.1 | Linux | Patch Pending | KB81731 |
| vIDM Connector | 3.3.3 | Windows | Patch Pending | KB81731 |
| vIDM Connector | 3.32 | Linux | Patch Pending | KB81731 |
| vIDM Connector | 3.3.2 | Windows | Patch Pending | KB81731 |
| vIDM Connector | 3.3.1 | Linux | Patch Pending | KB81731 |
| vIDM Connector | 3.3.1 | Windows | Patch Pending | KB81731 |
Recommendations:
In short, Visit the official VMware page to fix the temporary workarounds released.
Leave A Comment