VMware has revealed and repaired the flaws in its hypervisor discovered at China’s Tianfu Cup white hat hacking competition.
CVE-2020-4004, rated critical due to its 9.3 on the CVSS scale, is described as a “Use-after-free vulnerability in XHCI USB controller”. It allows a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. The VMX process runs in the VMkernel and is responsible for handling I/O to devices, so there’s the potential for data exfiltration. The bug needs patching in ESXi from version 6.5, VMware’s Fusion and Workstation desktop hypervisors from versions 11 and 15 respectively, plus VMware Cloud Foundation from version 3.
CVE-2020-4005 is a VMX elevation-of-privilege vulnerability and rated as important with an 8.8 CVSS score. Getting this one to work requires exploitation of the other bug described above. Users of ESXi from version 6.5 and Cloud Foundation from version 3 need to get busy on this one.
VMware reveals critical hypervisor bugs found at Chinese white hat hacking comp. One lets guests run code on hosts
ESXi, Cloud Foundation, and desktop hypervisor users should get patching