Skip to main content

VMware Patches Many Security Issues To Fix Certain Vulnerabilities

By July 9, 2020May 5th, 2022Cybersecurity

Does your company make use of VMware products? If so, be advised that a pair of researchers from Synacktiv recently reported a series of critical security flaws in VMware’s ESXi, Workstation and Fusion products.

The recent discovery prompted the company to issue an emergency security patch to address those issues.

The most serious of the bunch, which earned a 9.3 CVSSv3 severity score, is being tracked as CVE-2020-3962. It is a flaw in the SVGA device that could allow an attacker with local access to the machine to execute arbitrary code on the hypervisor from a virtual machine.

In addition to that, the latest patch also addresses the following security vulnerabilities:

  • CVE-2020-3963
  • CVE-2020-3964
  • CVE-2020-3965
  • CVE-2020-3966
  • CVE-2020-3967
  • CVE-2020-3968
  • CVE-2020-3969
  • CVE-2020-3970
  • CVE-2020-3971

These issues range in severity from 4.0 to 8.1 and all are related to different ways that a local attacker with access to a virtual machine could execute arbitrary code, trigger a DoS condition, or read privileged information on the compromised devices.

To block attacks exploiting all of the vulnerabilities listed above, VMware recommends immediately upgrading to version 15.5.5 (VMware Fusion (Pro), while VMware ESXI customers should upgrade to ESXi_7.0.0-1.20.16321839, ESXi670-202004101-SG, or ESXi650-202005401-SG.

Kudos to Synacktiv researchers Bruno Pujos and Corentin Bayet for their diligent research, and to the management team at VMware for making the patches addressing these issues available with all speed.

This, of course, will not be the last time researchers uncover serious security flaws in software. However, this example is a textbook case of deft handling by the companies involved.

If you use VMware products, be sure to check to see what version you’re running, and if need be, upgrade to the latest right away. Since all of the potential attacks here require local access to exploit, the risk is low, but there’s no advantage to having any unnecessary exposure.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.