VMware has released the following new security advisories:
VMSA-2019-0002 – VMware Workstation update addresses elevation of privilege issues.
This documents important severity elevation of privilege issues.
Issue (a) (CVE-2019-5511). Workstation does not handle paths appropriately. Successful exploitation of this issue may allow the path to the VMX executable, on a Windows host, to be hijacked by a non-administrator leading to elevation of privilege.
Issue (b) (CVE-2019-5512). COM classes are not handled appropriately. Successful exploitation of this issue may allow hijacking of COM classes used by the VMX process, on a Windows host, leading to elevation of privilege.
These issues have been addressed in Workstation 15.0.3 and 14.1.6
VMware would like to thank James Forshaw of Google Project Zero for reporting these issues to us.
VMSA-2019-0003 – VMware Horizon update addresses Connection Server information disclosure vulnerability.
(CVE-2019-5513). The VMware Horizon Connection Server contains a moderate severity information disclosure vulnerability. Successful exploitation of this issue may allow disclosure of internal domain names, the Connection Server’s internal name, or the gateway’s internal IP address.
VMware would like to thank Cory Mathews of Critical Start and HD Moore of Atredis Partners for independently reporting this issue to us.
Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.
Customers should review the security advisories and direct any questions to VMware Support.