Headline

CVE-2019-5527: VMSA-2019-0014.1

ESXi, Workstation, Fusion, VMRC and Horizon Client contain a use-after-free vulnerability in the virtual sound device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.5.

5 years ago

CVE

Open in Source

#vulnerability #mac #windows #linux #dos #vmware

Advisory ID

VMSA-2019-0014.1

Advisory Severity

Important

CVSSv3 Range

4.7-8.5

Synopsis

VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities. (CVE-2019-5527, CVE-2019-5535)

Issue Date

2019-09-19

Updated On

2019-09-21

CVE(s)

CVE-2019-5527, CVE-2019-5535

1. Impacted Products

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Remote Console for Windows (VMRC for Windows)
VMware Remote Console for Linux (VMRC for Linux)
VMware Horizon Client for Windows
VMware Horizon Client for Linux
VMware Horizon Client for Mac

2. Introduction****VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial-of-service vulnerabilities.

CVE-2019-5527: ESXi, Workstation, Fusion, VMRC and Horizon Client use-after-free vulnerability
CVE-2019-5535: VMware Workstation and Fusion network denial-of-service vulnerability

**3a. ESXi, Workstation, Fusion, VMRC and Horizon Client use-after-free vulnerability - CVE-2019-5527
**

**Description:
**

Known Attack Vectors:

A local attacker with non-administrative access on the guest machine may exploit this issue to execute code on the host.

Resolution:

To remediate CVE-2019-5527, update/upgrade to the versions listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds:

None.

Additional Documentations:

None.

Notes:

None.

Acknowledgements:

VMware would like to thank Will Dormann of the CERT/CC and wenqunwang from Codesafe Team of Legendsec at Qi’anxin Group for independently reporting this issue to us.

Response Matrix:

Security

Product

Version

Running On

CVE Identifier

CVSSV3

Severity

Fixed Version

Workarounds

Additional Documents

ESXi

6.7

Any

CVE-2019-5527

8.5

Important

ESXi670-201904101-SG

None

ESXi

6.5

Any

CVE-2019-5527

8.5

Important

ESXi650-201903401-SG

None

ESXi

6.0

Any

CVE-2019-5527

8.5

Important

ESXi600-201909101-SG

None

Workstation

15.x

Any

CVE-2019-5527

8.5

Important

15.5.0

None

Fusion

11.x

OS X

CVE-2019-5527

8.5

Important

11.5.0

None

VMRC for Windows

10.x

Windows

CVE-2019-5527

8.5

Important

10.0.5 and Later

None

VMRC for Linux

10.x

Linux

CVE-2019-5527

8.5

Important

10.0.5 and Later

None

Horizon Client for Windows

5.x and prior

Windows

CVE-2019-5527

8.0

Important

5.2.0

None

Horizon Client for Linux

5.x and prior

Linux

CVE-2019-5527

8.0

Important

5.2.0

None

Horizon Client for Mac

5.x and prior

OS X

CVE-2019-5527

8.0

Important

5.2.0

None

**3b. VMware Workstation and Fusion network denial-of-service vulnerability - CVE-2019-5535
**

**Description:
**

VMware Workstation and Fusion contain a network denial-of-service vulnerability due to improper handling of certain IPv6 packets. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.

Known Attack Vectors:

An attacker may exploit this issue by sending a specially crafted IPv6 packet from a guest machine on the VMware NAT to disallow network access for all guest machines using VMware NAT mode. This issue can be exploited only if IPv6 mode for VMNAT is enabled.

Resolution:

To remediate CVE-2019-5535, update/upgrade to the versions listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds:

None.

Additional Documentations:

None.

Notes:

IPv6 mode for VMNAT is not enabled by default.

Acknowledgements:

VMware would like to thank Carlos Garcia Prado from FireEye for reporting this issue to us.

Response Matrix:

Product