If attackers combine two security holes in VMware software for working with virtual machines (VM), it can have fatal consequences. Secure versions are available for download.

If an attacker has access to a VMX process, he could obtain higher user rights . According to a warning from VMware, the successful exploitation of this ” high ” security vulnerability (CVE – 2020 – 4005) but only in combination with another gap, such as the ” critical “vulnerability with the identifier CVE – 2020 – 4004.

Outbreak from VM If an attacker receives admin rights for a VM by combining both gaps, he could be due to an error in the XHCI USB controller (CVE – 4004 – 4004) Execute malicious code in the VMX process on the host. This affects Cloud Foundation, Vmware ESXi, Fusion Workstation.

The versions ESXi 70 U1b – 17168206 , ESXi 650 – 202011101 – SG , ESXi 650 – 202011301 – SG , Fusion 11. 5.7 and Workstation 15. 5.7 secured. Fusion 12. X and workstation 16. x are not vulnerable. The security updates for Cloud Foundation 3.x and 4.x are pending.

Non-affected versions added to the running text. (of)