Threat Watch

VMware Released Security Updates

On March 17th, VMware released security updates that dealt with Denial-of-Service (DoS) and high severity privilege escalations in VMware Workstation, Fusion, VMware Remote Console, and Horizon Chat. The two flaws, tracked as CVE-2020-3950 and CVE-2020-3951, are believed to come from the improper use of setuid binaries as well as a heap-overflow issue in Cortado Thinprint. The affected software versions are listed below for CVE-2020-3950:

  • VMware Fusion Version 11.x before 11.5.2
  • Mware Remote Console Mac 11.x before 11.0.1
  • Horizon Client for Mac 5.x before 5.4.0

CVE-2020-3951, which is found in Cortado Thinprint, affects the following versions:

  • VMware Workstation (Windows and Linux) version 15.x before 15.5.2
  • Horizon Client for Windows 5.x before 5.4.0.

VMware stated, “Attackers with non-administrative access to a guest VM with virtual printing enabled may exploit this issue to create a denial-of-service condition of the Thinprint service running on the system where Workstation or Horizon Client is installed.”


In order to fix the issues, it is recommended that users visit vmware[.]com and apply the patches listed in the Fixed Version column of the Resolution Matrix that can be found within the VMSA-2020-0005 advisory.