November 20, 2020
Yesterday (19. 11. 2020) VMware released a new VMware Security Advisory, VMSA-2020-0026 marked with Critical severity. As with the recent VMSA-2020-0023, VMware mixes multiple CVEs with different severities into a single VMSA. Common Vulnerabilities and Exposures (CVE) is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. Usually, we complain against the approach of such a mixture, but this time it makes kind of sense. How concerned should you be this time?
CVE-2020-4004 (note that at the time of publishing this article NVD has not yet updated the public page for this vulnerability) is marked as critical. Use after free is a type of memory corruption flaw which can cause a program crash or can be used to execute arbitrary code. The problem occurs when the program frees a memory page and after some time it tries to use it again, expecting that it is still free. An attacker might write something unexpected inside in the meantime. In this case, the problematic software is the XHCI USB controller. An attacker with administrative access to a virtual machine may be able to exploit this issue to execute his code on the hypervisor of the virtual machine's VMX process rights.
The fixed versions of ESXi 6.5, 6.7, and 7.0 are already released. In the event that you can't patch your hosts immediately, there is a workaround: Remove the xHCI USB Controller from your Virtual Machine. As a part of a defence in depth strategy it is a good practice recommended by many security standards to remove all the unnecessary virtual devices from your VMs. The attacker would need admin rights and the VM would need to be configured with the xHCI USB controller, and the attacker is not getting full admin rights on the ESXi host (however this vulnerability could potentially be used in conjunction with others to escalate their privileges), so this is cause for concern, but can be reasonably easily mitigated simply by following security recommendations.
CVE-2020-4005 (as above, the public NVD site is not updated at the time of publishing this article) is marked as important. VMware ESXi contains a vulnerability in the way that certain process calls are handled.. An attacker with privileges within the VMX process only on the host may escalate its privileges on the affected system.
The fixed versions of ESXi 6.5, 6.7, and 7.0 are available for download now. There is no workaround for the issue. The attacker would have to use some other flaw to get the VMX process privileges, so the issue itself can be easily managed.
Each of the CVEs in isolation is not a tragedy, but if somebody combines them (or potentially others that you haven’t patched against) and you are not following security recommendations very strictly or you've overlooked something, then you should be scared and you should patch your hosts or at least review your infrastructure as soon as possible. Good patching hygiene is an important part of ensuring that your environments stay secure.
The flaws were discovered together during the hacking competition just 11 days before VMware released fixed versions... and 12 days before Runecast Analyzer started covering the VMSA for you.
Runecast Analyzer knowledge definition version 220.127.116.11, released today (Friday 20th November, 2020, less than 10 hours after the VMSA was published) includes detection and reporting for this VMware Security Advisory. As always, where automatic updates are enabled, Runecast Analyzer users will receive the new definitions during the following update cycle, with offline updates available through the Runecast customer portal as usual. While VMware have opted to bundle multiple CVEs into a single VMSA, here at Runecast we believe that these should be reported individually for greater clarity. As such, we operate one check within Runecast Analyzer for each CVE.