VMware security team announced the release of a security patch to address a critical vulnerability in their Workstation, Fusion, and vSphere virtualization products. The flaw was revealed by Cfir Cohen, a specialist at a cyber security consulting firm.
Tracked as CVE-202-3960, this is an out-of-bounds read vulnerability that could be exploited by remote threat actors with access to a virtual machine to access inside information in the memory of the affected system.
According to experts from a cyber security consulting company, the vulnerability lies in NVMe (non-volatile memory express) functionality, the state-of-the-art solid-state and flash drive access and transport protocol that delivers the highest performance and fastest response times for all types of enterprise workloads. The vulnerability affects ESXi 6.5 and 6.7, Workstation 15.xy Fusion 11.x.
In addition to correcting this flaw, the company also released fixes for a privilege escalation vulnerability tracked as CVE-2020-3961 present in Horizon Client for Windows systems. This flaw exists due to folder permission settings and unsafe library loading. The flaw received a score of 8.4 on the scale of the Common Vulnerability Scoring System (CVSS).
Users of affected deployments should only verify that the update installation is successful. There are no workarounds to fix these security flaws.
A couple of weeks ago, specialists from a cyber security consulting company also reported finding a security flaw in VMware Cloud Director; identified as CVE-2020-3956, this flaw could have been exploited to take control of corporate servers.
The vulnerability could allow an authenticated attacker to gain access to the corporate network, access sensitive data, and control of private clouds within a complete infrastructure.
Regarding the affected service, VMware Cloud Director is a cloud service delivery platform that enables organizations to operate and manage successful cloud service businesses. Using VMware Cloud Director, cloud service providers provide secure, efficient, and elastic resources to thousands of enterprises and IT security teams around the world.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.