The impact of this issue announcement is high – critical. Please act accordingly to rectify the issue, as stated below.
What you need to know:
Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products as well as workarounds.
Actions to be taken:
Download security patches for the following Impacted Products:
VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion Pro / Fusion (Fusion) and VMware Cloud Foundation.
The patches should address the following vulnerabilities:
CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971
The updates are available at https://www.vmware.com/security/advisories/VMSA-2020-0015.html
What is the impact of not doing the actions?
CVE-2020-3962, the most serious of the vulnerabilities, is a critical use-after-free bug related to the SVGA device. An attacker who has local access to a virtual machine with 3D graphics enabled can exploit the weakness for arbitrary code execution on the hypervisor from the VM. 3D graphics are enabled by default on Workstation and Fusion, but not on ESXi.
Additional vulnerability patched this week by the same company is an off-by-one heap overflow bug related to the SVGA device. Exploitation of this vulnerability requires the same types of permissions which also results in code execution.
Another high-severity vulnerability affecting ESXi, Workstation and Fusion have been described as a heap overflow affecting the USB 2.0 controller. Similar to the aforementioned security holes, this one also allows an attacker with local access to a VM to execute arbitrary code on the hypervisor.
A high-severity vulnerability identified in the USB 3.0 controller allows an attacker with admin privileges on the VM to cause a denial-of-service (DoS) condition or execute arbitrary code on the hypervisor. To add up, a high-severity issue affecting this controller can be leveraged by a local attacker to read privileged information from memory.
Other flaws patched by the company have been rated medium severity and they can be exploited by local attackers to cause a DoS condition or to read privileged information from memory.