Critical Vulnerabilities in VMware Products

Published on 24 Nov 2020

Updated on 07 Dec 2020

UPDATED as of 7 December 2020: VMware released the security patches for CVE-2020-4006 in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. Users and system administrators of the affected products are advised to install the latest security updates immediately.

 

VMware has released advisories on multiple critical vulnerabilities. These vulnerabilities are:

  • CVE-2020-4004: a use-after-free vulnerability in the XHCI USB controller that allows an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.
  • CVE-2020-4005: a privilege-escalation vulnerability that exists in the way certain system calls are being managed, allowing an attacker with privileges within the VMX process to escalate privileges on the affected system. Successful exploitation of this vulnerability is only possible when chained with another vulnerability (such as CVE-2020-4004).
  • CVE-2020-4006: a command injection vulnerability that allows an attacker with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account, to execute code with unrestricted privileges on the operating system.

 

These vulnerabilities, when exploited together, can be used to compromise virtual machines such as a Microsoft Active Directory or Domain Controller running on ESXi. 

Security patches addressing CVE-2020-4004 and CVE-2020-4005, in VMware ESXi, Workstation and Fusion, have been released. Users and system administrators of the affected products are advised to install the latest security updates immediately.

Security patches for CVE-2020-4006 in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are currently not available. The workarounds for this vulnerability are listed at https://www.vmware.com/security/advisories/VMSA-2020-0027.html.

More information is available at:
https://www.vmware.com/security/advisories/VMSA-2020-0026.html
https://www.vmware.com/security/advisories/VMSA-2020-0027.html