Infrastructure — VMware Workstation

On 19 February 2020, VMware published Security Advisory VMSA-2020-0005, addressing critical vulnerabilities in VMware Workstation, Fusion, and ESXi. The advisory covers CVE-2020-3947, a local privilege escalation via the vmnetdhcp service, and CVE-2020-3948, an out-of-bounds read in the Cortado ThinPrint component. Both vulnerabilities enable attackers with local access to escalate privileges on virtualization hosts.

CVE-2020-3947: vmnetdhcp Privilege Escalation

The vmnetdhcp service provides DHCP functionality for virtual networks in VMware Workstation and Fusion. This vulnerability allows a local attacker to exploit the service to execute arbitrary code with elevated privileges on the host operating system. The attack does not require administrative access to the hypervisor—a standard user account on the host machine is sufficient.

Attack scenario: A user with legitimate access to a developer workstation running VMware Workstation could exploit this vulnerability to gain root or SYSTEM privileges on the host. In enterprise environments where developers use local virtualization for testing, this represents a significant privilege escalation risk.

Exploitation complexity is rated low by VMware, indicating the vulnerability can be exploited without sophisticated techniques or specialized knowledge. Proof-of-concept code would likely emerge quickly, making timely patching essential.

CVE-2020-3948: ThinPrint Out-of-Bounds Read

The Cortado ThinPrint component enables printing from virtual machines to host-connected printers. An out-of-bounds read vulnerability in this component allows attackers to trigger denial-of-service conditions and potentially leak sensitive memory contents from the hypervisor process.

Virtual machine escape potential: While VMware categorizes this as a denial-of-service vulnerability, out-of-bounds read conditions sometimes serve as stepping stones for more severe attacks. Information leaked from hypervisor memory could include credentials, encryption keys, or memory layouts useful for chaining additional exploits.

Guest-to-host attack vector: Unlike CVE-2020-3947, which requires host access, the ThinPrint vulnerability could potentially be triggered from within a virtual machine. Organizations running untrusted virtual machines should disable ThinPrint functionality until patches are applied.

Affected Products and Versions

VMware Workstation 15.x on Windows and Linux hosts is vulnerable. The fix ships in Workstation 15.5.2. If you are affected, update all developer workstations and lab environments running Workstation installations.

VMware Fusion 11.x on macOS hosts is vulnerable. The fix ships in Fusion 11.5.2. MacOS users running virtual machines for development, testing, or application compatibility should update immediately.

VMware ESXi 6.5, 6.7, and 7.0 are affected by the ThinPrint vulnerability. Patches are available through the VMware patch repository. Production ESXi hosts typically do not enable ThinPrint, reducing exposure, but verification is recommended.

Enterprise Deployment Considerations

Organizations with centralized VMware Workstation deployments using enterprise licensing should coordinate updates through software distribution systems. The patch requires a full application update rather than a simple in-place hotfix, meaning users will experience brief interruption to running virtual machines.

Virtual machine state preservation: Workstation and Fusion updates typically preserve virtual machine configurations and snapshots. However, you should verify backup procedures before mass deployment and communicate update schedules to users with critical in-progress work in virtual environments.

Mixed version environments: Enterprises managing both Workstation and Fusion deployments across multiple platforms should coordinate updates to maintain consistent security postures. Different platform-specific update mechanisms may require separate change management workflows.

Detection and Monitoring

Endpoint detection and response (EDR) solutions should be configured to alert on suspicious vmnetdhcp process behavior. Unusual child processes, network connections, or file system access patterns from the DHCP service could show exploitation attempts.

Version verification: Your security team should audit installed VMware product versions across the environment. Workstation and Fusion self-report versions through standard software inventory mechanisms, but manual verification confirms complete coverage.

ThinPrint usage audit: Review virtual machine configurations to identify which VMs have ThinPrint enabled. Disabling the feature for VMs that do not require host printing reduces attack surface while awaiting patches.

Remediation Priority

VMware classifies both vulnerabilities with CVSSv3 scores indicating significant severity. CVE-2020-3947 receives particular urgency due to local privilege escalation potential. Developer workstations often contain source code, credentials, and access to production systems that attackers could use from elevated positions.

If you are affected, focus on patching in the following order: (1) workstations with internet exposure or external user access, (2) developer machines with access to sensitive code repositories or deployment pipelines, (3) lab and testing environments, and (4) isolated personal use installations.

Post-Patch Verification

After deploying updates, verify successful patching through VMware product version checks. Workstation displays version information in Help > About; Fusion shows version in VMware Fusion > About VMware Fusion. Automated inventory tools should be configured to flag any remaining installations below the patched versions.

Monitor security advisory feeds for potential exploit code publication. If public exploits emerge before complete patch deployment, consider temporary compensating controls such as restricting vmnetdhcp service permissions or disabling ThinPrint system-wide until updates complete.

Impact on Development Workflows

VMware Workstation and Fusion serve critical roles in software development workflows. Developers use local virtualization for testing across operating systems, validating deployment procedures, and isolating development environments from host systems.

CI/CD pipeline considerations: Build servers running VMware Workstation for automated testing require coordinated updates. Patch deployment to build infrastructure should occur during planned maintenance windows to avoid disrupting active builds.

Developer workstation updates: Individual developers may resist updates that require restarting virtual machines with in-progress work. Communicate update requirements clearly and provide adequate notice for developers to checkpoint their work.

Verification and Compliance Steps

1. Inventory VMware products: Identify all Workstation, Fusion, and ESXi installations across the organization
2. Verify current versions: Compare installed versions against patched releases in VMSA-2020-0005
3. Schedule updates: Plan maintenance windows for coordinated updates across development and production infrastructure
4. Test ThinPrint requirements: Identify VMs requiring host printing functionality; disable ThinPrint elsewhere
5. Validate post-update: Confirm version numbers through product interfaces after patching
6. Document remediation: Record patching activities for compliance evidence and audit trails

Security Architecture Improvements

Beyond immediate patching, you should evaluate whether desktop virtualization security architectures adequately address privilege escalation risks. Consider restricting local administrative access on workstations running VMware products, implementing application allowlisting to detect unauthorized process execution, and deploying endpoint detection tools capable of identifying vmnetdhcp exploitation patterns. Long-term security improvements reduce exposure to future hypervisor vulnerabilities.

Regular security assessments should include virtualization platforms as potential privilege escalation vectors requiring ongoing attention.

Vulnerability Details

VMware Workstation and Fusion vulnerabilities enabled guest-to-host escape and privilege escalation attacks. Desktop virtualization users faced risk of host system compromise from malicious virtual machines. Immediate patching addressed critical attack surface.

Patch Deployment

Desktop virtualization environments require coordinated update deployment. User notification and reboot scheduling minimize productivity disruption. Verification confirms successful patch application.

Security Considerations

Desktop virtualization trust models assume guest isolation. Guest escape vulnerabilities fundamentally compromise security assumptions. Defense-in-depth approaches reduce impact when isolation fails.

Monitoring and Detection

Host-based monitoring detects anomalous guest behavior potentially indicating escape attempts. Security telemetry collection supports forensic investigation of suspected incidents. Regular assessment validates virtualization security posture.

You may also find useful

Hand-picked articles on adjacent topics.

Infrastructure · Credibility 91/100 · February 20, 2020

Microsoft Defender ATP for Linux enters public preview

Microsoft Defender ATP is coming to Linux. The preview dropped on February 20, 2020, supporting RHEL, CentOS, Ubuntu, Debian, SLES, and Oracle Linux. If you are already in the Microsoft security stack, you can now extend…

Infrastructure · Credibility 73/100 · February 18, 2020

CISA alert on ransomware disrupting natural gas compression

A U.S. natural gas compression facility got hit with ransomware and had to shut down for two days. CISA's alert makes clear that OT networks are not immune—the malware spread from IT to operations. If you are running…

Infrastructure · Credibility 91/100 · February 24, 2020

Apache Tomcat AJP vulnerability (CVE-2020-1938 'Ghostcat') patched

Apache released fixes for CVE-2020-1938, an AJP request injection flaw dubbed Ghostcat that allows file reads and potential remote code execution on default Tomcat installations.

Infrastructure · Credibility 73/100 · February 11, 2020

Adobe February 2020 security updates patch Acrobat, Reader, and Framemaker

Adobe's February 2020 release addressed critical vulnerabilities across Acrobat/Reader, Framemaker, Digital Editions, and Experience Manager with fixes available on Patch Tuesday.

Infrastructure · Credibility 73/100 · February 11, 2020

Microsoft February 2020 Patch Tuesday addresses 99 CVEs

Microsoft's February 2020 Patch Tuesday fixed 99 CVEs—a big month. Critical bugs in IE, Remote Desktop, Exchange, and the Windows kernel. Prioritize and deploy.

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Telecom Modernization Infrastructure Guide

  Modernise telecom infrastructure using 3GPP Release 18 roadmaps, O-RAN Alliance specifications, and ITU broadband benchmarks curated here.

• Infrastructure Resilience Guide

  Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered here.

• Edge Resilience Infrastructure Guide

  Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented here.

Coverage intelligence

Published

February 19, 2020

Coverage pillar

Infrastructure

Source credibility

91/100 — high confidence

Topics

VMware Workstation · VMware Fusion · ESXi · CVE-2020-3947 · CVE-2020-3948

Sources cited

3 sources (vmware.com, cisecurity.org)

Reading time

6 min

Documentation

1. VMware VMSA-2020-0005 — vmware.com
2. VMware Product Security — vmware.com
3. CIS VMware Benchmark — cisecurity.org