CVE-2020-3982 – VMware Workstation BDOOR_CMD_PATCH_ACPI_TABLES Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-3982
VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202008101-SG, 6.5 before ESXi650-202007101-SG), Workstation (15.x), Fusion (11.x before 11.5.6) contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine's vmx process or corrupt hypervisor's memory heap. VMware ESXi (versiones 7.0 anteriores a ESXi_7.0.1-0.0.16850804, versiones 6.7 anteriores a ESXi670-202008101-SG, versiones 6.5 anteriores a ESXi650-202007101-SG), Workstation (versiones 15.x), Fusion (versiones 11.x anteriores a de 11.5.6), contienen una vulnerabilidad de escritura fuera de límites debido a un problema time-of-check time-of-use en el dispositivo ACPI. Un actor malicioso con acceso administrativo a una máquina virtual puede ser capaz de explotar esta vulnerabilidad para bloquear el proceso vmx de la máquina virtual o corromper la pila de la memoria del hipervisor This vulnerability allows local attackers to escalate privileges on affected installations of VMware Workstation. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the implementation of the BDOOR_CMD_PATCH_ACPI_TABLES command. • https://www.vmware.com/security/advisories/VMSA-2020-0023.html • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-787: Out-of-bounds Write •
CVE-2020-3965
https://notcve.org/view.php?id=CVE-2020-3965
VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.2), and Fusion (11.x before 11.5.2) contain an information leak in the XHCI USB controller. A malicious actor with local access to a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. VMware ESXi (versiones 7.0 anteriores a ESXi_7.0.0-1.20.16321839, versiones 6.7 anteriores a ESXi670-202006401-SG y versiones 6.5 anteriores a ESXi650-202005401-SG), Workstation (versiones 15.x anteriores a 15.5.2) y Fusion (versiones 11.x anteriores a 11.5. 2), contiene una filtración de información en el controlador USB XHCI. Un actor malicioso con acceso local a una máquina virtual puede ser capaz de leer información privilegiada contenida en la memoria del hipervisor desde una máquina virtual • http://packetstormsecurity.com/files/158459/VMware-ESXi-Use-After-Free-Out-Of-Bounds-Access.html http://seclists.org/fulldisclosure/2020/Jul/22 https://www.vmware.com/security/advisories/VMSA-2020-0015.html • CWE-125: Out-of-bounds Read •
CVE-2020-3964
https://notcve.org/view.php?id=CVE-2020-3964
VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.2), and Fusion (11.x before 11.5.2) contain an information leak in the EHCI USB controller. A malicious actor with local access to a virtual machine may be able to read privileged information contained in the hypervisor's memory. Additional conditions beyond the attacker's control need to be present for exploitation to be possible. VMware ESXi (versiones 7.0 anteriores a ESXi_7.0.0-1.20.16321839, versiones 6.7 anteriores a ESXi670-202006401-SG y versiones 6.5 anteriores a ESXi650-202005401-SG), Workstation (versiones 15.x anteriores a 15.5.2) y Fusion (versiones 11.x anteriores a 11.5. 2), contiene una filtración de información en el controlador USB EHCI. Un actor malicioso con acceso local a una máquina virtual puede ser capaz de leer información privilegiada contenida en la memoria del hipervisor. • http://packetstormsecurity.com/files/158459/VMware-ESXi-Use-After-Free-Out-Of-Bounds-Access.html http://seclists.org/fulldisclosure/2020/Jul/22 https://www.vmware.com/security/advisories/VMSA-2020-0015.html • CWE-908: Use of Uninitialized Resource •
CVE-2020-3963
https://notcve.org/view.php?id=CVE-2020-3963
VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.2), and Fusion (11.x before 11.5.2) contain a use-after-free vulnerability in PVNVRAM. A malicious actor with local access to a virtual machine may be able to read privileged information contained in physical memory. VMware ESXi (versiones 7.0 anteriores a ESXi_7.0.0-1.20.16321839, versiones 6.7 anteriores a ESXi670-202006401-SG y versiones 6.5 anteriores a ESXi650-202005401-SG), Workstation (versiones 15.x anteriores a 15.5.2) y Fusion (versiones 11.x anteriores a 11.5. 2), contiene una vulnerabilidad de uso de la memoria previamente liberada en PVNVRAM. Un actor malicioso con acceso local a una máquina virtual puede ser capaz de leer información privilegiada contenida en la memoria física • http://packetstormsecurity.com/files/158459/VMware-ESXi-Use-After-Free-Out-Of-Bounds-Access.html http://seclists.org/fulldisclosure/2020/Jul/22 https://www.vmware.com/security/advisories/VMSA-2020-0015.html • CWE-416: Use After Free •
CVE-2020-3966 – VMware Workstation EHCI Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-3966
VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-202004101-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.2), and Fusion (11.x before 11.5.2) contain a heap-overflow due to a race condition issue in the USB 2.0 controller (EHCI). A malicious actor with local access to a virtual machine may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible. VMware ESXi (versiones 7.0 anteriores a ESXi_7.0.0-1.20.16321839, versiones 6.7 anteriores a ESXi670-202004101-SG y versiones 6.5 anteriores a ESXi650-202005401-SG), Workstation (versiones 15.x anteriores a 15.5.2) y Fusion (versiones 11.x anteriores a 11.5. 2), contiene un desbordamiento de la pila debido a un problema de condición de carrera en el controlador USB 2.0 (EHCI). Un actor malicioso con acceso local a una máquina virtual puede ser capaz de explotar esta vulnerabilidad para ejecutar código en el hipervisor desde una máquina virtual. • https://www.vmware.com/security/advisories/VMSA-2020-0015.html https://www.zerodayinitiative.com/advisories/ZDI-20-783 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •