VMware Fixed Multiple Vulnerabilities In Workstation, Fusion, and Others

VMware has recently patched multiple vulnerabilities affecting Workstation, Fusion, and more. These vulnerabilities also included some critical severity bugs.

Critical Vulnerability In VMware Products

Reportedly, VMware has addressed a critical security bug affecting its products.

As elaborated in their advisory, the vulnerability (CVE-2020-3962) existed in the VMware Workstation (Pro/Player), ESXi, Fusion (Pro/Fusion), and VMware Cloud Foundation. This critical flaw attained a CVSS score of 9.3.

Describing this use after free bug, the advisory reads,

VMware ESXi, Workstation and Fusion contain a Use-after-free vulnerability in the SVGA device… A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine.

Detailing the response matrix, VMware also mentioned two more vulnerabilities. One of these includes a high-severity off-by-one heap-overflow flaw (CVE-2020-3969) that achieved a CVSS score of 8.1. Whereas, the other included a medium severity Out-of-bound read vulnerability in Shader Functionality (CVE-2020-3970).

Other VMware Vulnerabilities Receiving Patches

Apart from the above three, VMware also patched six high-severity vulnerabilities affecting its products. Three of these, CVE-2020-3967, CVE-2020-3968, and CVE-2020-3966, achieved a CVSS score of 8.1. Whereas, the other three, CVE-2020-3965, CVE-2020-3964, and CVE-2020-3963 achieved a CVSS score of 7.1.

Moreover, they also addressed a single medium severity flaw (CVE-2020-3971) with a 5.9 CVSS score.

Hence, in all, the vendors have released fixes for 10 different security vulnerabilities.

For all the six high severity bugs, VMware has suggested removing the USB controller as a workaround.

Whereas, for the single medium severity vulnerability, no workaround is available.

Nonetheless, the vendors have addressed all the 10 bugs with the release of the latest versions of the respective products. Hence, users should make sure to update their systems according to the advisory.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Reference: Source link

Sr. SDET M Mehedi Zaman

Currently working as Sr. SDET at Robi Axiata Limited, a subsidiary of Axiata Group. As a Senior SDET: - Played a key role in introducing Agile Scrum methodology and implementing CI/CD pipeline to ensure quality & timely delivery. - Trained colleagues on emerging technologies, e.g. Apache Spark, Big Data, Hadoop, Internet of Things, Cloud Computing, AR, Video Streaming Services Technology, Blockchain, Data Science- Developed a test automation framework for Android and iOS apps - Developed an e2e web automation framework with Pytest - Performed penetration testing of enterprise solutions to ensure security and high availability using Kali, Burp Suite etc. - Learned Gauntlet security testing automation framework and shared the lesson learned in a knowledge sharing session

Leave a Reply

Your email address will not be published. Required fields are marked *