Rewterz Threat Advisory – VMware Workstation, Fusion and Horizon Client Multiple Vulnerabilities

Severity

Medium

Analysis Summary

Multiple vulnerabilities in VMware Workstation, Fusion and Horizon Client were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 
 

PATH configuration privilege escalation vulnerability (CVE-2020-3980) 
VMware Fusion contains a privilege escalation vulnerability due to the way it allows configuring the system wide path. An attacker with normal user privileges may exploit this issue to trick an admin user into executing malicious code on the system where Fusion is installed. 

Multiple out-of-bounds read vulnerabilities (CVE-2020-3986, CVE-2020-3987, CVE-2020-3988) 
VMware Workstation and Horizon Client for Windows contain multiple out-of-bounds read vulnerabilities in Cortado ThinPrint component. These issues exist in the EMF and JPEG2000 parsers. A malicious actor with normal access to a virtual machine may be able to exploit these issues to create a partial denial-of-service condition or to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed. 

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client. 
 

Denial-of-service vulnerability (CVE-2020-3989) 
VMware Workstation and Horizon Client for Windows contain a denial of service vulnerability due to an out-of-bounds write issue in Cortado ThinPrint component. A malicious actor with normal access to a virtual machine may be able to exploit this issue to create a partial denial-of-service condition on the system where Workstation or Horizon Client for Windows is installed.

Information disclosure vulnerability  (CVE-2020-3990)

VMware Workstation and Horizon Client for Windows contain an information disclosure vulnerability due to an integer overflow issue in Cortado ThinPrint component. A malicious actor with normal access to a virtual machine may be able to exploit this issue to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Impact

• Privilege Escalation
• Denial of Service
• Memory Leakage

Affected Vendors

VMware

Affected Products

• VMware Fusion Pro / Fusion 11.x
• VMware Horizon Client for Windows 5.x and prior
• VMware Workstation Pro/Player 15.x

Remediation

Updates are available. Update to:

• Horizon Client for Windows 5.4.4
• Workstation 15.5.7
• Fusion 11.5.7