VMware Security Advisories
| Advisory ID | VMSA-2019-0007 |
| Advisory Severity | Moderate |
| CVSSv3 Range | 6.0 |
| Synopsis | VMware Workstation update addresses a DLL-hijacking issue (CVE-2019-5526) |
| Issue Date | 2019-05-14 |
| Updated On | 2019-05-14 (Initial Advisory) |
| CVE(s) | CVE-2019-5526 |
1. Impacted Products
- VMware Workstation Pro / Player (Workstation)
2. Introduction
VMware Workstation update addresses a DLL-hijacking issue:
- CVE-2019-5526: VMware Workstation DLL hijacking vulnerability
3. VMware Workstation DLL hijacking vulnerability - CVE-2019-5526
Description:
VMware Workstation contains a DLL hijacking issue because some DLL files are improperly loaded by the application. VMware’s Security Engineering and Response (vSECR) organization has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.0.
Known Attack Vectors:
Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to administrator on a windows host where Workstation is installed.
Resolution:
Update to Workstation 15.1.0 in order to resolve this issue.
Workarounds:
There are no workarounds for this issue.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Boris Ryutin along with Miguel Méndez Zúñiga and Claudio Cortés Cid of ElevenPaths labs in Chile and Spain for independently reporting this issue to us.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSV3 | Severity | Fixed Version | Workarounds | Additional Documents |
| Workstation | 15.x | Windows | CVE-2019-5526 | 6.0 | Moderate | 15.1.0 | None | None |
4. References
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5526
Fixed Version(s) and Release Notes:
VMware Workstation Pro 15.1.0
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.1.0
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
5. Change log
VMSA-2019-0007 - Initial security advisory in conjunction with the release of Workstation 15.1.0 on 2019-05-14.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2019 VMware Inc. All rights reserved.