CVE-2020-0029: 
NixOS vulnerability analysis and mitigation

A denial-of-service vulnerability (CVE-2020-3999) was privately reported to VMware affecting multiple products including VMware ESXi, Workstation, Fusion, and Cloud Foundation. The vulnerability was discovered in December 2020 and is related to improper input validation in GuestInfo (VMware Advisory).

The vulnerability stems from improper input validation in the GuestInfo functionality, specifically within the implementation of the SetGuestInfo RPC function. The issue results from dereferencing a null pointer. The severity of this vulnerability has been evaluated as Low with a CVSSv3 base score of 3.3, though Zero Day Initiative assessed it with a higher CVSS score of 6.5 (ZDI Advisory).

When successfully exploited, this vulnerability can lead to a crash of the virtual machine's vmx process, resulting in a denial-of-service condition. The impact is limited to availability, with no compromise to confidentiality or integrity (VMware Advisory).

VMware has released patches to address this vulnerability. For ESXi 7.0, the fix is available in ESXi70U1c-17325551. Workstation users should upgrade to version 16.0 or 15.5.7, while Fusion users should upgrade to version 12.0 or 11.5.7. Cloud Foundation users should upgrade to version 4.2. No workarounds are available for this vulnerability (VMware Advisory).