Product Security Bulletin for Third-Party VMware Vulnerabilities
BD is aware of and currently monitoring multiple vulnerabilities in VMware products. These third-party vulnerabilities, which VMware corrected with their recent patch release, are not specific to BD or our products. These vulnerabilities affect VMware ESXi, VMware Workstation Pro/Player, VMware Fusion Pro/Fusion, VMware Remote Console for Mac, or VMware Horizon Client for Mac. BD has not received any reports regarding these vulnerabilities being exploited on BD products. Additionally, BD does not utilize VMware products that are specific to Mac OS.
CVE-2020-3957 is a local privilege escalation vulnerability that impacts VMware fusion, VMRC Remote Console for Mac and Horizon Client for Mac. This vulnerability does not apply to any BD product.
CVE-2020-3958 impacts VMware ESXI, Workstation Pro/Player, and Fusion products and could potentially allow an unauthorized user with non-administrative access to a virtual machine to cause a denial of service attack. To exploit this vulnerability an unauthorized user would need access to a virtual machine with 3D graphics enabled. VMware ESXi does not have 3D graphics enabled by default, however VMware Workstation Pro/Player and VMware Fusion Pro/Fusion do. This vulnerability could impact BD products that utilize VMware ESXi.
CVE-2020-3959 is a memory leak vulnerability that exists in the VMCI module. This vulnerability impacts VMware ESXi, VMware Workstation Pro/Player, and VMware Fusion Pro/Fusion. If exploited, a user with non-administrative access to a virtual machine could potentially cause a partial denial of service attack. This vulnerability could impact BD products that utilize VMware ESXi.
BD is currently working to test and validate the VMware security update for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize VMware ESXi.
BD has not received any reports of these third-party vulnerabilities being exploited on BD products. The product list below is available to customers to help identify existing BD products that utilize VMware ESXi. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.
Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).
Ensure the following VMware patches have been applied:
For product-or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, discontent the device from the network and contact your BD service representative immediately.