A vulnerability classified as problematic has been found in VMware ESXi, Workstation and Fusion (Virtualization Software) (version now known). This affects some unknown processing of the component XHCI USB Controller. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. The summary by CVE is:

VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.2), and Fusion (11.x before 11.5.2) contain an information leak in the XHCI USB controller. A malicious actor with local access to a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

The weakness was published 06/25/2020 (Website). It is possible to read the advisory at vmware.com. This vulnerability is uniquely identified as CVE-2020-3965 since 12/30/2019. Attacking locally is a requirement. Required for exploitation is a authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

Upgrading eliminates this vulnerability.

Similar entries are available at 157244, 157245, 157273 and 157274.

Productinfo

Type

• Virtualization Software

Vendor

• VMware

Name

• ESXi
• Fusion
• Workstation

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion