TTCSIRT-312.050420: TT-CSIRT ADVISORY – VMWARE ESXI STORED CROSS-SITE SCRIPTING (XSS) VULNERABILITY

A Stored Cross-Site Scripting (XSS) vulnerability in VMware ESXi was privately reported to VMware. Patches are available to address this vulnerability in affected VMware products.

VMware ESXi patches address Stored Cross-Site Scripting (XSS) vulnerability (CVE-2020-3955).

The VMware ESXi Host Client does not properly neutralize script-related HTML when viewing virtual machines attributes. VMware has evaluated the severity of this issue to be in the “Important” severity range with a maximum CVSSv3 base score of 8.3.

A malicious actor with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim’s browser when viewing this virtual machine via the ESXi Host Client.

There are no workarounds. However, to remediate CVE-2020-3955 refer to and apply the updates listed in the links below:

ESXi 7.0 – Unaffected

ESXi 6.7 –https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202004002.html

ESXi 6.5 – https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201912002.html

The Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) encourages users and administrators to review and apply the necessary updates.