VMware Security Vulnerabilities Leads to Code Execution and Cause DoS Condition

Vmware fixed multiple security vulnerabilities that may lead to code execution, information disclosure and DoS condition with normal user privileges.

Products Affected

• VMware vSphere ESXi (ESXi)
• VMware Workstation Pro / Player (Workstation)
• VMware Fusion Pro / Fusion (Fusion)

Vmware Security Vulnerabilities

The Out-of-bounds read/write vulnerabilities resides in the pixel shader functionality of the VMware ESXi, Workstation and Fusion, the vulnerability can be tracked as

• CVE-2019-5521 – Out-of-bounds read vulnerability – CVSSv3 = 6.3-7.7
• CVE-2019-5684 – Out-of-bounds write vulnerability – CVSSv3 = 8.5

Vulnerability Exploitation

To exploit the vulnerability an attacker could have access to the virtual machine with 3D graphics enabled. By default, it is enabled with Workstation Pro and Fusion Pro.

The Out-of-bounds read vulnerability allows attackers to read sensitive information from other memory locations. This may lead to information disclosure and an attacker could cause DoS attack condition with normal user privileges.

The out-of-bounds writes data past the end, or before the beginning, this vulnerability can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of the attack allows an attacker to executed code on the host.

How to Address the issue

The vulnerability can be addressed by updating to the latest version of the product and the workaround is by disabling the 3D-acceleration feature.

• VMware vSphere ESXi (ESXi) (ESXi670-201904101-SG, ESXi650-201903001)
• VMWare Fusion (10.1.6, 11.0.3)
• VMWare Workstation (14.1.6, 15.0.3)

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.