Monday, February 10, 2025
HomeCyber Security NewsVMware Security Vulnerabilities Leads to Code Execution and Cause DoS Condition

VMware Security Vulnerabilities Leads to Code Execution and Cause DoS Condition

Published on

SIEM as a Service

Follow Us on Google News

Vmware fixed multiple security vulnerabilities that may lead to code execution, information disclosure and DoS condition with normal user privileges.

Products Affected

  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)

Vmware Security Vulnerabilities

The Out-of-bounds read/write vulnerabilities resides in the pixel shader functionality of the VMware ESXi, Workstation and Fusion, the vulnerability can be tracked as

  • CVE-2019-5521 – Out-of-bounds read vulnerability – CVSSv3 = 6.3-7.7
  • CVE-2019-5684 – Out-of-bounds write vulnerability – CVSSv3 = 8.5

Vulnerability Exploitation

To exploit the vulnerability an attacker could have access to the virtual machine with 3D graphics enabled. By default, it is enabled with Workstation Pro and Fusion Pro.

The Out-of-bounds read vulnerability allows attackers to read sensitive information from other memory locations. This may lead to information disclosure and an attacker could cause DoS attack condition with normal user privileges.

The out-of-bounds writes data past the end, or before the beginning, this vulnerability can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of the attack allows an attacker to executed code on the host.

How to Address the issue

The vulnerability can be addressed by updating to the latest version of the product and the workaround is by disabling the 3D-acceleration feature.

  • VMware vSphere ESXi (ESXi) (ESXi670-201904101-SG, ESXi650-201903001)
  • VMWare Fusion (10.1.6, 11.0.3)
  • VMWare Workstation (14.1.6, 15.0.3)

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...