VMware has recently patched multiple vulnerabilities affecting Workstation, Fusion, and more. These vulnerabilities also included some critical severity bugs.
Critical Vulnerability In VMware Products
Reportedly, VMware has addressed a critical security bug affecting its products.
As elaborated in their advisory, the vulnerability (CVE-2020-3962) existed in the VMware Workstation (Pro/Player), ESXi, Fusion (Pro/Fusion), and VMware Cloud Foundation. This critical flaw attained a CVSS score of 9.3.
Describing this use after free bug, the advisory reads,
VMware ESXi, Workstation and Fusion contain a Use-after-free vulnerability in the SVGA device… A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine.
Detailing the response matrix, VMware also mentioned two more vulnerabilities. One of these includes a high-severity off-by-one heap-overflow flaw (CVE-2020-3969) that achieved a CVSS score of 8.1. Whereas, the other included a medium severity Out-of-bound read vulnerability in Shader Functionality (CVE-2020-3970).
Other VMware Vulnerabilities Receiving Patches
Apart from the above three, VMware also patched six high-severity vulnerabilities affecting its products. Three of these, CVE-2020-3967, CVE-2020-3968, and CVE-2020-3966, achieved a CVSS score of 8.1. Whereas, the other three, CVE-2020-3965, CVE-2020-3964, and CVE-2020-3963 achieved a CVSS score of 7.1.
Moreover, they also addressed a single medium severity flaw (CVE-2020-3971) with a 5.9 CVSS score.
Hence, in all, the vendors have released fixes for 10 different security vulnerabilities.
For all the six high severity bugs, VMware has suggested removing the USB controller as a workaround.
Whereas, for the single medium severity vulnerability, no workaround is available.
Nonetheless, the vendors have addressed all the 10 bugs with the release of the latest versions of the respective products. Hence, users should make sure to update their systems according to the advisory.
Let us know your thoughts in the comments.