VMSA-2019-0014:VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities.
23559
17 September 2019
17 September 2019
CLOSED
HIGH
4.7-8.5
CVE-2019-5527,CVE-2019-5535
VMware Security Advisories
| Advisory ID | VMSA-2019-0014.1 |
| Advisory Severity | Important |
| CVSSv3 Range | 4.7-8.5 |
| Synopsis | VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities. (CVE-2019-5527, CVE-2019-5535) |
| Issue Date | 2019-09-19 |
| Updated On | 2019-09-21 |
| CVE(s) | CVE-2019-5527, CVE-2019-5535 |
1. Impacted Products
- VMware vSphere ESXi (ESXi)
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Remote Console for Windows (VMRC for Windows)
- VMware Remote Console for Linux (VMRC for Linux)
- VMware Horizon Client for Windows
- VMware Horizon Client for Linux
- VMware Horizon Client for Mac
2. Introduction
VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial-of-service vulnerabilities.
- CVE-2019-5527: ESXi, Workstation, Fusion, VMRC and Horizon Client use-after-free vulnerability
- CVE-2019-5535: VMware Workstation and Fusion network denial-of-service vulnerability
3a. ESXi, Workstation, Fusion, VMRC and Horizon Client use-after-free vulnerability - CVE-2019-5527
Description:
ESXi, Workstation, Fusion, VMRC and Horizon Client contain a use-after-free vulnerability in the virtual sound device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.5.
Known Attack Vectors:
A local attacker with non-administrative access on the guest machine may exploit this issue to execute code on the host.
Resolution:
To remediate CVE-2019-5527, update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentations:
None.
Notes:
None.
Acknowledgements:
VMware would like to thank Will Dormann of the CERT/CC and wenqunwang from Codesafe Team of Legendsec at Qi'anxin Group for independently reporting this issue to us.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSV3 | Severity | Fixed Version | Workarounds | Additional Documents |
| ESXi | 6.7 | Any | CVE-2019-5527 | 8.5 | Important | ESXi670-201904101-SG | None | None |
| ESXi | 6.5 | Any | CVE-2019-5527 | 8.5 | Important | ESXi650-201903401-SG | None | None |
| ESXi | 6.0 | Any | CVE-2019-5527 | 8.5 | Important | ESXi600-201909101-SG | None | None |
| Workstation | 15.x | Any | CVE-2019-5527 | 8.5 | Important | 15.5.0 | None | None |
| Fusion | 11.x | OS X | CVE-2019-5527 | 8.5 | Important | 11.5.0 | None | None |
| VMRC for Windows | 10.x | Windows | CVE-2019-5527 | 8.5 | Important | 10.0.5 and Later | None | None |
| VMRC for Linux | 10.x | Linux | CVE-2019-5527 | 8.5 | Important | 10.0.5 and Later | None | None |
| Horizon Client for Windows | 5.x and prior | Windows | CVE-2019-5527 | 8.0 | Important | 5.2.0 | None | None |
| Horizon Client for Linux | 5.x and prior | Linux | CVE-2019-5527 | 8.0 | Important | 5.2.0 | None | None |
| Horizon Client for Mac | 5.x and prior | OS X | CVE-2019-5527 | 8.0 | Important | 5.2.0 | None | None |
3b. VMware Workstation and Fusion network denial-of-service vulnerability - CVE-2019-5535
Description:
VMware Workstation and Fusion contain a network denial-of-service vulnerability due to improper handling of certain IPv6 packets. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.
Known Attack Vectors:
An attacker may exploit this issue by sending a specially crafted IPv6 packet from a guest machine on the VMware NAT to disallow network access for all guest machines using VMware NAT mode. This issue can be exploited only if IPv6 mode for VMNAT is enabled.
Resolution:
To remediate CVE-2019-5535, update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentations:
None.
Notes:
IPv6 mode for VMNAT is not enabled by default.
Acknowledgements:
VMware would like to thank Carlos Garcia Prado from FireEye for reporting this issue to us.
Response Matrix:
4. References
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5527
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5535
Fixed Version(s) and Release Notes:
VMware ESXi 6.7 U2
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=742&downloadGroup=ESXI67U2
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u2-release-notes.html
VMware ESXi 6.5, Patch Release ESXi650-201903001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201903001.html
VMware ESXi 6.0, Patch Release ESXi600-201909001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201909001.html
VMware Workstation 15.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Fusion 11.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware Remote Console 10.0.x
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1006&productId=742
https://docs.vmware.com/en/VMware-Remote-Console/10.0/rn/VMware-Remote-Console-1006-Release-Notes.html
VMware Horizon Client 5.2.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html
5. Change log
2019-09-19: VMSA-2019-0014 Initial security advisory in conjunction with the release of Workstation 15.5.0 and Fusion 11.5.0 on 2019-09-19.
2019-09-21: VMSA-2019-0014.1 Updated security advisory to clarify Known Attack Vectors of Issue 3(a).
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2019 VMware Inc. All rights reserved.