VMware ESXi (7.0 before ESXi70U1b-17168206, 6.7 before ESXi670-202011101-SG, 6.5 before ESXi650-202011301-SG), Workstation (15.x prior to 15.5.7), Fusion (11.x prior to 11.5.7) contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
vmware fusion |
||
vmware cloud foundation |
||
vmware workstation |
||
vmware esxi 6.5 |
||
vmware esxi 6.7 |
||
vmware esxi 7.0 |
ESXi, Cloud Foundation, and desktop hypervisor users should get patching
VMware has revealed and repaired the flaws in its hypervisor discovered at China’s Tianfu Cup white hat hacking competition. CVE-2020-4004, rated critical due to its 9.3 on the CVSS scale, is described as a “Use-after-free vulnerability in XHCI USB controller”. It allows a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. The VMX process runs in the VMkernel and is responsible for handling I/O...