Advisory ID VMSA-2019-0014.1
Advisory Severity Important
CVSSv3 Range 4.7-8.5
Synopsis VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities. (CVE-2019-5527, CVE-2019-5535)
Issue Date 2019-09-19
Updated On 2019-09-21
CVE(s) CVE-2019-5527, CVE-2019-5535
1. Impacted Products
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Remote Console  for Windows (VMRC for Windows)
  • VMware Remote Console  for Linux (VMRC for Linux)
  • VMware Horizon Client for Windows
  • VMware Horizon Client for Linux
  • VMware Horizon Client for Mac
2. Introduction
VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial-of-service vulnerabilities.
  • CVE-2019-5527: ESXi, Workstation, Fusion, VMRC and Horizon Client use-after-free vulnerability
  • CVE-2019-5535: VMware Workstation and Fusion network denial-of-service vulnerability
 
3a. ESXi, Workstation, Fusion, VMRC and Horizon Client use-after-free vulnerability - CVE-2019-5527

Description:

ESXi, Workstation, Fusion, VMRC and Horizon Client contain a use-after-free vulnerability in the virtual sound device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.5.

 

Known Attack Vectors:

A local attacker with non-administrative access on the guest machine may exploit this issue to execute code on the host.

 

Resolution:

To remediate CVE-2019-5527, update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Notes:

None.

 

Acknowledgements:

VMware would like to thank Will Dormann of the CERT/CC and wenqunwang from Codesafe Team of Legendsec at Qi'anxin Group for independently reporting this issue to us.

 

Response Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
ESXi
6.7 Any
CVE-2019-5527
8.5
Important
ESXi670-201904101-SG
None None
ESXi 6.5 Any CVE-2019-5527 8.5
Important ESXi650-201903401-SG None None
ESXi 6.0 Any CVE-2019-5527 8.5 Important ESXi600-201909101-SG None None
Workstation 15.x Any CVE-2019-5527 8.5 Important 15.5.0 None None
Fusion 11.x OS X CVE-2019-5527 8.5 Important 11.5.0 None None
VMRC for Windows 10.x Windows CVE-2019-5527 8.5 Important 10.0.5 and Later None None
VMRC for Linux 10.x Linux
CVE-2019-5527 8.5 Important 10.0.5 and Later None None
Horizon Client for Windows 5.x and prior Windows CVE-2019-5527 8.0 Important 5.2.0 None None
Horizon Client for Linux 5.x and prior Linux CVE-2019-5527 8.0 Important 5.2.0 None None
Horizon Client for Mac 5.x and prior OS X CVE-2019-5527 8.0 Important 5.2.0 None None
3b. VMware Workstation and Fusion network denial-of-service vulnerability - CVE-2019-5535

Description:

VMware Workstation and Fusion contain a network denial-of-service vulnerability due to improper handling of certain IPv6 packets. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.

 

Known Attack Vectors:

An attacker may exploit this issue by sending a specially crafted IPv6 packet from a guest machine on the VMware NAT to disallow network access for all guest machines using VMware NAT mode. This issue can be exploited only if IPv6 mode for VMNAT is enabled.

 

Resolution:

To remediate CVE-2019-5535, update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Notes:

IPv6 mode for VMNAT is not enabled by default.

 

Acknowledgements:

VMware would like to thank Carlos Garcia Prado from FireEye for reporting this issue to us.

 

Response Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
Workstation
15.x
Any
CVE-2019-5535
4.7
Moderate
15.5.0
None None
Fusion 11.x OS X CVE-2019-5535
4.7
Moderate
11.5.0 None
None

4. References

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5527
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5535

 

Fixed Version(s) and Release Notes:

 

VMware ESXi 6.7 U2
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=742&downloadGroup=ESXI67U2
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u2-release-notes.html

 

VMware ESXi 6.5, Patch Release ESXi650-201903001 
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201903001.html

 

VMware ESXi 6.0, Patch Release ESXi600-201909001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201909001.html

 

VMware Workstation 15.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

 

VMware Fusion 11.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

 

VMware Remote Console 10.0.x
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1006&productId=742
https://docs.vmware.com/en/VMware-Remote-Console/10.0/rn/VMware-Remote-Console-1006-Release-Notes.html

 

VMware Horizon Client 5.2.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html

 

5. Change log
 

2019-09-19: VMSA-2019-0014 Initial security advisory in conjunction with the release of Workstation 15.5.0 and Fusion 11.5.0 on 2019-09-19.

 

2019-09-21: VMSA-2019-0014.1 Updated security advisory to clarify Known Attack Vectors of Issue 3(a).

 

6. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2019 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: