Security Alert (A20-03-04): Multiple Vulnerabilities in VMware Products


 

Published on: 17 March 2020

  
  

Description:

VMware has published a security advisory to address use-after-free vulnerability in vmnetdhcp, improper file permissions in Cortado Thinprint, and improper protection for the configuration files of the VMware USB arbitration service.

 

Affected Systems:

  • VMware Workstation version 15.x
  • VMware Fusion version 11.x
  • VMware Horizon Client for Windows version 5.x and prior
  • VMware Remote Console (VMRC) for Windows version 10.x

 

Impact:

Successful exploitation of the vulnerabilities could allow an attacker to execute arbitrary code or commands on the host machine from a guest virtual machine, elevate the privileges of a local non-administrative account to root on a guest virtual machine, or allow an attacker to create a denial-of-service condition on the host machine.

 

Recommendation:

The product vendor has released new versions to address the issues at the vendor's website:

  • VMware Workstation Pro 15.5.2
    https://www.vmware.com/go/downloadworkstation

  • VMware Workstation Player 15.5.2
    https://www.vmware.com/go/downloadplayer

  • VMware Fusion 11.5.2
    https://www.vmware.com/go/downloadfusion

  • VMware Horizon Client for Windows 5.3.0
    https://my.vmware.com/web/vmware/details?downloadGroup=CART20FQ4_WIN_530&productId=863

  • VMware Remote Console for Windows 11.0.0
    https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1100&productId=742

System administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

https://www.vmware.com/security/advisories/VMSA-2020-0004.html
https://www.hkcert.org/my_url/en/alert/20031602
https://www.us-cert.gov/ncas/current-activity/2020/03/16/vmware-releases-security-updates-multiple-products
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3947
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3948

 



Tag: VMware , VMware Fusion , Horizon Client , VMware Remote Console , VMware Workstation
Tags