VMware ESXi (7.0 before ESXi70U1b-17168206, 6.7 before ESXi670-202011101-SG, 6.5 before ESXi650-202011301-SG), Workstation (15.x before 15.5.7), Fusion (11.x before 11.5.7) contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

The version of VMware Workstation installed on the remote Windows host is 15.x prior to 15.5.7. It is, therefore, affected by a use-after-free error in the XHCI USB Controller. An unauthenticated, local attacker with administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Note that Nessus has not tested for this issue, but has instead relied only on the application's self-reported version number.

The version of VMware Fusion installed on the remote macOS or Mac OS X host is 11.x prior to 11.5.7. It is, therefore, affected by a use-after-free error in the XHCI USB Controller. An unauthenticated, local attacker with administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Note that Nessus has not tested for this issue, but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the remote VMware ESXi host is version 6.5, 6.7 or 7.0 and is affected by multiple vulnerabilities. 

  - A use-after-free error exists in the XHCI USB controller. An unauthenticated, local attacker with local     administrative privileges on a virtual machine can exploit this, to execute code as the virtual machine's     VMX process running on the host. (CVE-2020-4004)

  - A privilege escalation vulnerability exists in ESXi due to how certain system calls are managed. An     authenticated, local attacker with privileges within the VPM process can exploit this, when chained with     CVE-2020-4004, to obtain escalated privileges. (CVE-2020-4005)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

a. Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004) VMware ESXi contains a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machines VMX process running on the host.

b. VMX elevation-of-privilege vulnerability (CVE-2020-4005) VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed. A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability (e.g. CVE-2020-4004).

ID	Name	Product	Family	Severity
143223	VMware Workstation 15.x < 15.5.7 Use-after-free (VMSA-2020-0026)	Nessus	General	high
143222	VMware Fusion 11.x < 11.5.7 Use-after-free (VMSA-2020-0026)	Nessus	MacOS X Local Security Checks	high
143221	ESXi 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2020-0026)	Nessus	Misc.	high
143166	VMSA-2020-0026 : VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities	Nessus	VMware ESX Local Security Checks	high

Detections

Analytics

CVE-2020-4004

high

Tenable Plugins

high

high

high

high