On 19th Nov 20, a VMware security announcement was released with Advisory ID: VMSA-2020-0027. In which two new critical VMware ESXi vulnerabilities CVE-2020-4004 and CVE-2020-4005 were found. This is basically impacting VMware Workspace One Access, VMware Cloud Foundation, VMware ESXi 6.5, 6.7 and 7.0, Access Connector, Identity Manager, and Identity Manager Connector.
It was found during China’s Tianfu Cup hacking competition by Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup Pwn Contest. VMware thanks him with thousands $ of bounty prizes.
Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004)
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.
Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
The workaround for the above vulnerability is to remove the XHCI (USB 3.x) controller from all VMs. The vulnerability has been fixed in the versions mentioned in the response matrix and the recommendation is to patch installations as soon as possible.
Response Matrix For CVE-2020-4004:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 7.0 | Any | CVE-2020-4004 | 9.3 | Critical | ESXi70U1b-17168206 | Remove XHCI (USB 3.x) controller | None |
| ESXi | 6.7 | Any | CVE-2020-4004 | 9.3 | Critical | ESXi670-202011101-SG | Remove XHCI (USB 3.x) controller | None |
| ESXi | 6.5 | Any | CVE-2020-4004 | 9.3 | Critical | ESXi650-202011301-SG | Remove XHCI (USB 3.x) controller | None |
| Fusion | 12.x | OS X | CVE-2020-4004 | N/A | N/A | Unaffected | N/A | N/A |
| Fusion | 11.x | OS X | CVE-2020-4004 | 9.3 | Critical | 11.5.7 | Remove XHCI (USB 3.x) controller | None |
| Workstation | 16.x | Any | CVE-2020-4004 | N/A | N/A | Unaffected | N/A | N/A |
| Workstation | 15.x | Any | CVE-2020-4004 | 9.3 | Critical | 15.5.7 | Remove XHCI (USB 3.x) controller | None |
| VMware Cloud Foundation (ESXi) | 4.x | Any | CVE-2020-4004 | 9.3 | Critical | Patch Pending | Remove XHCI (USB 3.x) controller | None. |
| VMware Cloud Foundation (ESXi) | 3.x | Any | CVE-2020-4004 | 9.3 | Critical | Patch Pending | Remove XHCI (USB 3.x) controller | None |
VMX elevation-of-privilege vulnerability (CVE-2020-4005)
VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.
Known Attack Vectors: A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability (e.g. CVE-2020-4004).
There is no workaround as of now for this issue but to remediate CVE-2020-4005 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Response Matrix For CVE-2020-4005:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 7.0 | Any | CVE-2020-4005 | 8.8 | Important | ESXi70U1b-17168206 | None | None |
| ESXi | 6.7 | Any | CVE-2020-4005 | 8.8 | Important | ESXi670-202011101-SG | None | None |
| ESXi | 6.5 | Any | CVE-2020-4005 | 8.8 | Important | ESXi650-202011301-SG | None | None |
| VMware Cloud Foundation (ESXi) | 4.x | Any | CVE-2020-4005 | 8.8 | Important | Patch pending | None | None |
| VMware Cloud Foundation (ESXi) | 3.x | Any | CVE-2020-4005 | 8.8 | Important | Patch Pending | None | None |
Source: VMware Advisory VMSA-2020-0026
You’ll also like