Does your company make use of VMware products?

If so, be advised that a pair of researchers from Synacktiv recently reported a series of critical security flaws in VMware's ESXi, Workstation and Fusion products.

The recent discovery prompted the company to issue an emergency security patch to address those issues.

The most serious of the bunch, which earned a 9.3 CVSSv3 severity score, is being tracked as CVE-2020-3962. It is a flaw in the SVGA device that could allow an attacker with local access to the machine to execute arbitrary code on the hypervisor from a virtual machine.

The latest patch also addresses the following security vulnerabilities

  • CVE-2020-3963
  • CVE-2020-3964
  • CVE-2020-3965
  • CVE-2020-3966
  • CVE-2020-3967
  • CVE-2020-3968
  • CVE-2020-3969
  • CVE-2020-3970
  • CVE-2020-3971

These issues range in severity from 4.0 to 8.1 and all are related to different ways that a local attacker with access to a virtual machine could execute arbitrary code, trigger a DoS condition, or read privileged information on the compromised devices.

To block attacks exploiting all of the vulnerabilities listed above, VMware recommends immediately upgrading to version 15.5.5 (VMware Fusion (Pro), while VMware ESXI customers should upgrade to ESXi_7.0.0-1.20.16321839, ESXi670-202004101-SG, or ESXi650-202005401-SG.

Kudos to Synacktiv researchers Bruno Pujos and Corentin Bayet for their diligent research, and to the management team at VMware for making the patches addressing these issues available with all speed.

This, of course, will not be the last time researchers uncover serious security flaws in software. However, this example is a textbook case of deft handling by the companies involved.

Our perspective

If you use VMware products, be sure to check to see what version you're running, and if need be, upgrade to the latest right away. Since all of the potential attacks here require local access to exploit, the risk is low, but there's no advantage to having any unnecessary exposure.

~ As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there! " ~


By Denis Wilson and Melissa Stockwell

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available on LinkedIn, Facebook, and Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT SupportI am Denis Wilson, President and Principal Consultant for DWP Information Architects. We build people / process / technology solutions to create better business outcomes for smaller enterprises in Los Angeles. We have created cost-effective automation solutions, for over 20 years, focusing on reliability, cybersecurity, and regulatory compliance.

I am also a published author and speaker, working extensively with business and professional associations to provide small business technology education programs.

Contact me if you would like me to speak at your association