Critical ESXi Vulnerabilities Announced by VMware (CVE-2020-4004, CVE-2020-4005)

by Richard Charlton
Senior Systems Engineer

VMware announced yesterday (November 19, 2020), two new vulnerabilities effecting ESXi 6.5, 6.7 and 7.0.

CVE-2020-4004 has been named ‘Use-after-free vulnerability in XHCI USB controller’ and allows a bad actor with local administrative privileges on a VM to execute code on the host. As such, this vulnerability has been categorized as Critical and given a CVSSv3 score or 9.3 out of 10.

The work around for the above vulnerability is to remove the XHCI (USB 3.x) controller from all virtual machines. The vulnerability has been fixed in the following versions and our recommendation is to patch installations as soon as possible:

• ESXi70U1b-17168206
• ESXi670-202011101-SG
• ESXi650-202011301-SG

CVE-2020-4005 has been named ‘VMX elevation-of-privilege vulnerability’ and allows a bad actor to escalate privileges when chained with CVE-2020-4004 above. This vulnerability has been categorized with a severity of Important and CVSSv3 rating of 8.8 out of 10. No workaround exists for this vulnerability, but it is fixed in the above patches. Again, Helient Systems recommends patching at the earliest opportunity.

Helient Systems will be contacting its Managed Services customers regarding the patching of systems against these vulnerabilities. If you would like assistance planning and applying the latest VMware security patches to your environment, please contact service@helient.com.