[German]VMware has just released updates to close a critical vulnerability in its ESXi virtualization platform. VMware Workstation and Player have also been upgraded for Windows 10 version 20H2. Here is a summary of the two topics.
Security fix for ESXi virtualization platform
A critical vulnerability in the ESXi virtualization platform was found a few weeks ago at Tianfu Cup, which VMware has now fixed with an update. The following Tweet addresses this issue.
This is a use-after-free vulnerability (CVE-2020-4004) in ESXi's USB controller eXtensible Host Controller Interface (xHCI). The vulnerability was assigned a CVSS score of 9.3 (on a scale of 10). The vulnerability could allow malware to escape from the virtual machine to the host via the USB interface. VMware has published this advisory where another vulnerability, CVE-2020-4005, was also addressed.
ESXi versions 6.5, 6.7 and 7.0 are affected by this critical vulnerability. VMware has released versions of ESXi that address this vulnerability. Users can upgrade to ESXi650-202011301-SG (for version 6.5), ESXi670-202011101-SG (for version 6.7), and ESXi70U1b-17168206 (for version 7.0). VMware Fusion (version 11.x), Workstation (15.x), and VMware Cloud Foundation (ESXi, versions 3.x and 4.x) are also affected. Patches for VMware Cloud Foundation are pending, according to the advisory. One workaround is to remove the xHCI (USB 3.x) controller. Threadpost has also published this article on the issue.
VMware Workstation 16.1.0 Pro and Player
VMware has also updated Workstation 16.1.0 Pro and VMware Player to version 16.1.0. This new version supports Windows 10 version 20H2 as both host and guest. Details about this update can be found in the VMware Release Notes.