About Two New Critical VMware ESXi Vulnerabilities CVE-2020-4004, and CVE-2020-4005

On 19th Nov 20, a VMware security announcement was released with Advisory ID: VMSA-2020-0027. In which two new critical VMware ESXi vulnerabilities CVE-2020-4004 and CVE-2020-4005 were found. This is basically impacting VMware Workspace One Access, VMware Cloud Foundation, VMware ESXi 6.5, 6.7 and 7.0, Access Connector, Identity Manager, and Identity Manager Connector.

It was found during China’s Tianfu Cup hacking competition by Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest. VMware thanks him with thousands $ of bounty prizes.

Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004)

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.

The workaround for the above vulnerability is to remove the XHCI (USB 3.x) controller from all VMs. The vulnerability has been fixed in the versions mentioned in the response matrix and the recommendation is to patch installations as soon as possible.

Response Matrix For CVE-2020-4004:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
ESXi7.0AnyCVE-2020-40049.3Critical ESXi70U1b-17168206Remove XHCI (USB 3.x) controllerNone
ESXi6.7AnyCVE-2020-40049.3Critical ESXi670-202011101-SGRemove XHCI (USB 3.x) controllerNone
ESXi6.5AnyCVE-2020-40049.3Critical ESXi650-202011301-SGRemove XHCI (USB 3.x) controllerNone
Fusion12.xOS XCVE-2020-4004N/AN/AUnaffectedN/AN/A
Fusion11.xOS XCVE-2020-40049.3Critical 11.5.7Remove XHCI (USB 3.x) controllerNone
Workstation16.xAnyCVE-2020-4004N/AN/AUnaffectedN/AN/A
Workstation15.xAnyCVE-2020-40049.3Critical 15.5.7Remove XHCI (USB 3.x) controllerNone
VMware Cloud Foundation (ESXi)4.xAnyCVE-2020-40049.3Critical Patch PendingRemove XHCI (USB 3.x) controllerNone.
VMware Cloud Foundation (ESXi)3.xAnyCVE-2020-40049.3Critical Patch PendingRemove XHCI (USB 3.x) controllerNone
Response Matrix For CVE-2020-4004

VMX elevation-of-privilege vulnerability (CVE-2020-4005)

VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

Known Attack Vectors: A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability (e.g. CVE-2020-4004).

There is no workaround as of now for this issue but to remediate CVE-2020-4005 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Response Matrix For CVE-2020-4005:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
ESXi7.0AnyCVE-2020-40058.8Important ESXi70U1b-17168206NoneNone
ESXi6.7AnyCVE-2020-40058.8Important ESXi670-202011101-SGNoneNone
ESXi6.5AnyCVE-2020-40058.8Important ESXi650-202011301-SGNoneNone
VMware Cloud Foundation (ESXi)4.xAnyCVE-2020-40058.8Important Patch pendingNoneNone
VMware Cloud Foundation (ESXi)3.xAnyCVE-2020-40058.8Important Patch PendingNoneNone
Response Matrix For CVE-2020-4005

Source: VMware Advisory VMSA-2020-0026

You’ll also like

Leave a Comment