CVE-2020-3986 Overview
CVE-2020-3986 is an out-of-bounds read vulnerability affecting VMware Workstation (15.x) and Horizon Client for Windows (5.x before 5.4.4). The vulnerability exists in the Cortado ThinPrint component, specifically within the EMF Parser. A malicious actor with normal access to a virtual machine may be able to exploit this issue to create a partial denial-of-service condition or to leak memory from the TPView process running on the system where Workstation or Horizon Client for Windows is installed.
Critical Impact
Attackers with VM access can exploit the EMF Parser vulnerability to leak sensitive memory contents from the host TPView process or cause service disruption.
Affected Products
- VMware Horizon Client for Windows (5.x before 5.4.4)
- VMware Workstation Player (15.x)
- VMware Workstation Pro (15.x)
Discovery Timeline
- 2020-09-16 - CVE-2020-3986 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-3986
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read), a memory safety issue that occurs when the software reads data past the end or before the beginning of the intended buffer. In this case, the vulnerability resides in the Cortado ThinPrint component's EMF (Enhanced Metafile) Parser functionality.
The ThinPrint component is used to enable printing from virtual machines to host printers. When processing specially crafted EMF print data, the parser fails to properly validate buffer boundaries, allowing an attacker to read memory beyond allocated boundaries. This can result in information disclosure from the TPView process memory space or cause application instability leading to denial of service.
The attack requires local access, meaning the attacker must have normal user access to a virtual machine running on the affected host. From this position, they can send malicious print jobs containing specially crafted EMF data to trigger the vulnerability.
Root Cause
The root cause of this vulnerability is improper bounds checking in the EMF Parser within the Cortado ThinPrint component. When processing EMF records, the parser does not adequately validate that read operations stay within the allocated buffer boundaries, allowing out-of-bounds memory access. This is a classic memory safety issue where input validation fails to prevent malformed or malicious data from causing unintended memory operations.
Attack Vector
The attack vector for CVE-2020-3986 requires local access to a virtual machine running on the affected VMware Workstation or Horizon Client installation. An attacker with normal user privileges within the VM can exploit this vulnerability through the following attack flow:
- The attacker gains access to a guest virtual machine (standard user access is sufficient)
- The attacker crafts a malicious EMF file or print job containing specially constructed EMF records
- When the ThinPrint component processes this data, the vulnerable EMF Parser reads beyond buffer boundaries
- This results in either memory disclosure from the TPView process or a partial denial-of-service condition on the host system
The vulnerability does not enable direct code execution but can leak sensitive information from the host process memory, which could potentially be leveraged in a multi-stage attack.
Detection Methods for CVE-2020-3986
Indicators of Compromise
- Unexpected crashes or restarts of the TPView.exe process on systems running VMware Workstation or Horizon Client
- Anomalous print job activity originating from virtual machines, particularly with unusual EMF file sizes or structures
- Memory access violations logged in Windows Event Viewer related to ThinPrint components
Detection Strategies
- Monitor for abnormal behavior of the TPView.exe process including unexpected terminations or high memory usage
- Implement endpoint detection rules to identify suspicious print spooler activity from virtual machine sessions
- Deploy application crash monitoring to detect repeated failures in ThinPrint-related processes
- Use memory protection features to detect out-of-bounds read attempts in critical processes
Monitoring Recommendations
- Enable verbose logging for VMware ThinPrint components to capture potential exploitation attempts
- Configure SIEM rules to correlate VM-initiated print jobs with subsequent TPView process anomalies
- Implement host-based intrusion detection to monitor for memory scanning patterns targeting the TPView process
- Review print queue logs for malformed or suspicious EMF data submissions from guest VMs
How to Mitigate CVE-2020-3986
Immediate Actions Required
- Update VMware Horizon Client for Windows to version 5.4.4 or later immediately
- Update VMware Workstation to the latest patched version as specified in VMSA-2020-0020
- If patching is not immediately possible, consider disabling the ThinPrint feature as a temporary workaround
- Restrict virtual machine access to trusted users only until patches can be applied
Patch Information
VMware has released security updates to address this vulnerability. Administrators should consult the VMware Security Advisory VMSA-2020-0020 for detailed patch information and download links. For Horizon Client for Windows, upgrade to version 5.4.4 or later. For VMware Workstation, apply the appropriate security update as documented in the advisory.
Workarounds
- Disable the Cortado ThinPrint virtual printing feature in VMware Workstation or Horizon Client settings if not required for operations
- Restrict network access to virtual machines to limit potential attacker entry points
- Implement application whitelisting to prevent unauthorized processes from interacting with ThinPrint components
- Use VM isolation features to minimize the attack surface between guest and host systems
# To disable ThinPrint in VMware Workstation, add the following to the VM's .vmx configuration file:
isolation.tools.vixguestlibcap.disable = "TRUE"
thinprint.disable = "TRUE"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
