VMware fixes VMSA-2020-0006 code execution flaws

Overview

VMware released security advisory VMSA-2020-0006 on 6 March 2020, addressing multiple critical and high-severity vulnerabilities affecting ESXi, Workstation, and Fusion hypervisor products. Successful exploitation could allow attackers to escape virtual machine boundaries and execute code on host systems, fundamentally compromising the security isolation that virtualization provides.

Critical Vulnerabilities

The advisory addresses several distinct vulnerability classes across VMware virtualization components:

• vmnetdhcp heap overflow (CVE-2020-3947): A use-after-free vulnerability in the virtual network DHCP service could allow a guest operating system to execute arbitrary code on the host with elevated privileges.
• Cortado ThinPrint (CVE-2020-3948): A privilege escalation vulnerability in the Cortado ThinPrint component could allow local attackers to gain SYSTEM privileges on Windows host systems or root on Linux hosts.
• Virtual machine escape: The combination of vulnerabilities enables complete guest-to-host escape, allowing an attacker controlling a virtual machine to compromise the underlying hypervisor and potentially all other guests.

Affected Products and Versions

If you are affected, inventory deployments of the following affected products:

• VMware ESXi: Versions 6.7 and 6.5 require patching; version 7.0 was not yet released at vulnerability disclosure time.
• VMware Workstation: Versions 15.x running on Windows and Linux hosts are affected.
• VMware Fusion: Versions 11.x running on macOS hosts require updates.

The virtualization attack surface spans enterprise data center infrastructure (ESXi) and developer/power-user workstations (Workstation, Fusion), requiring coordinated remediation across different operational teams.

Security Impact Assessment

Virtual machine escape vulnerabilities represent among the most severe security issues in virtualized environments:

• Isolation failure: The fundamental security promise of virtualization is that guest virtual machines cannot affect host systems or other guests. VM escape breaks this boundary entirely.
• Multi-tenant risk: Cloud providers, hosting companies, and organizations sharing infrastructure across security boundaries face complete compromise if attackers can escape VM constraints.
• Lateral movement: Attackers escaping to hypervisor hosts can access all guest virtual machines, storage, and network resources managed by that host.
• Persistence: Host-level compromise enables attackers to persist outside virtual machine backups and re-compromise rebuilt guests.
• Detection challenges: Security monitoring focused on guest operating systems may miss host-level compromise activities.

Attack Vector Analysis

Understanding how these vulnerabilities might be exploited helps focus on remediation:

• vmnetdhcp exploitation: Requires the attacker to control a guest VM configured with virtual networking that uses the vulnerable DHCP service. Crafted network traffic from guest to host triggers the vulnerability.
• ThinPrint exploitation: Requires local access to systems with ThinPrint installed, typically through an already-compromised guest VM or local workstation access.
• Attack chain: Sophisticated attackers might combine initial guest compromise (through web exploitation, phishing, or supply chain attack) with VM escape to reach high-value infrastructure.

Mitigation and Remediation

If you are affected, implement the following measures to address VMSA-2020-0006:

• Apply patches immediately: Install the March 6, 2020 security updates for ESXi, Workstation, and Fusion as documented in the advisory. Prioritize production ESXi hosts handling sensitive workloads.
• Disable vmnetdhcp where unused: If virtual machines do not require DHCP from the virtual network, disable the vmnetdhcp service to eliminate the attack surface.
• Remove ThinPrint if unnecessary: Uninstall or disable Cortado ThinPrint components on hosts not requiring virtual printing functionality.
• Review virtual networking: Audit virtual network configurations and remove unnecessary virtual NICs or network adapters from guest VMs.
• Restrict console access: Limit interactive access to guest consoles and shared folder features that could aid post-compromise activities.
• Monitor for exploitation: Implement detection for unusual process execution or file system activity on ESXi hosts that might show escape attempts.

ESXi Patching Considerations

Enterprise ESXi environments require careful patch planning:

• Maintenance windows: ESXi patching requires host reboots, requiring workload migration and scheduled downtime.
• vMotion coordination: For clusters with DRS enabled, plan sequential host patching to maintain workload availability.
• Patch baselines: Update VMware Update Manager or vSphere Lifecycle Manager baselines to include VMSA-2020-0006 patches.
• Compliance reporting: Configure scanning to identify unpatched hosts and track remediation progress.
• Rollback preparation: Ensure host backups or snapshot capability exists before applying patches to production systems.

Workstation and Fusion Updates

Desktop virtualization products require different remediation approaches:

• User notification: Alert developers and power users running Workstation or Fusion about available security updates.
• Software distribution: Use enterprise software deployment tools to push updated installers to managed workstations.
• License considerations: Verify license agreements permit centralized update distribution.
• Configuration backup: Recommend users back up virtual machine inventories before updating, as version upgrades may affect VM configurations.

Detection and Monitoring

If you are affected, implement monitoring to detect potential exploitation:

• Monitor ESXi host process execution for unexpected binaries or shell access
• Alert on configuration changes to vmnetdhcp and ThinPrint services
• Implement network monitoring for anomalous traffic between guests and hosts
• Review ESXi logs for unusual authentication patterns or privilege changes
• Consider deploying hypervisor-aware security tools for additional visibility

Summary

VMSA-2020-0006 represents a serious security advisory requiring prompt attention from organizations using VMware virtualization products. The potential for guest-to-host escape makes these vulnerabilities particularly concerning for multi-tenant environments and organizations relying on virtualization for security isolation. If you are affected, focus on patching while implementing compensating controls and monitoring for environments where immediate patching is not feasible.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 92/100 · March 5, 2020

NSA guidance on TLS inspection risks

Think your TLS inspection proxy is making you safer? The NSA has some concerns. Break-and-inspect setups create centralized decryption points, often negotiate weaker ciphers than direct connections, and add attack…

Cybersecurity · Credibility 93/100 · March 12, 2020

Microsoft SMBv3 CVE-2020-0796 (SMBGhost) vulnerability

Microsoft leaked and then patched CVE-2020-0796, a wormable vulnerability in SMBv3 compression. Dubbed 'SMBGhost,' it affects Windows 10 and Server 2019. Remote code execution without authentication—patch immediately.

Cybersecurity · Credibility 92/100 · March 13, 2020

CISA enterprise VPN security guidance

On 13 March 2020 CISA released guidance for securing enterprise VPN infrastructure as remote work increased during the COVID-19 pandemic. The guidance addresses critical vulnerabilities, authentication requirements, and…

Cybersecurity · Credibility 86/100 · February 24, 2020

Chrome 80 patches actively exploited V8 zero-day (CVE-2020-6418)

Google’s 24 February 2020 stable release patches CVE-2020-6418, a V8 type confusion exploited in the wild; admins must force-update Chrome, validate enterprise policies, and monitor for crash telemetry anomalies.

Cybersecurity · Credibility 73/100 · March 20, 2020

FBI warns of COVID-19 fraud and phishing schemes

FBI IC3 issued a PSA about rising COVID-19 scams, including phishing, fake charities, and malware-laced telework offers, urging organizations to harden email defenses and verify pandemic-related solicitations.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

March 6, 2020

Coverage pillar

Cybersecurity

Source credibility

73/100 — medium confidence

Topics

VMware · VMSA-2020-0006 · ESXi

Sources cited

3 sources (vmware.com, iso.org)

Reading time

5 min

References

1. VMSA-2020-0006: VMware ESXi, Workstation and Fusion updates address multiple vulnerabilities
2. VMware Security Advisories — VMware
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization