Today, VMware has released the following new security advisory:

“VMSA-2019-0009 – VMware Tools and Workstation updates address out of bounds read and use-after-free vulnerabilities (CVE-2019-5522, CVE-2019-5525)”

This documents the remediation of two important severity issues in VMware Tools and VMware Workstation respectively.

Issue (a) CVE-2019-5522 an out of bounds read vulnerability in vm3dmp driver which is installed with vmtools in Windows guest machines. A local attacker with non-administrative access to a Windows guest with VMware Tools installed may be able to leak kernel information or create a denial of service attack on the same Windows guest machine. This issue has been addressed in VMware Tools 10.3.10.

Issue (b) CVE-2019-5525 is a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) backend and affects VMware Workstation. A malicious user with normal user privileges on the guest machine may exploit this issue to execute code on the host. This issue has been addressed in VMware Workstation 15.1.0.

We would like to thank ChenNan and RanchoIce of Tencent ZhanluLab and Brice L’helgouarc’h of Amossys for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today, VMware has released the following new security advisory:

VMSA-2019-0006 – VMware ESXi, Workstation and Fusion updates address multiple out-of-bounds read vulnerabilities

This advisory documents Important Severity issues.

Issue (a) VMware ESXi, Workstation and Fusion updates address an out-of-bounds vulnerability (CVE-2019-5516) with the vertex shader functionality. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.  The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.

Issue (b) VMware ESXi, Workstation and Fusion contain multiple out-of-bounds read vulnerabilities  (CVE-2019-5517) in the shader translator. Exploitation of these issues requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for these issues involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

VMware would like to thank RanchoIce of Tencent Security ZhanluLab for reporting these issues to us.

Issue (c) VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability (CVE-2019-5520). Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure.

VMware would like to thank instructor working with Trend Micro’s Zero Day Initiative for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today, VMware has released the following new security advisories:

VMSA-2019-0004: VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability

This advisory documents a Critical severity Remote Session Hijack vulnerability (CVE-2019-5523) in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.

We would like to thank Tyler Flaagan, Eric Holm, Andrew Kramer, and Logan Stratton of Dakota State University for reporting this issue to us.

VMSA-2019-0005 – VMware ESXi, Workstation and Fusion updates address multiple security issues

This advisory documents Critical and Important Severity issues.

Critical issue (a) VMware ESXi, Workstation and Fusion contain an out-of-bounds read/write vulnerability (CVE-2019-5518) and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface) (CVE-2019-5519). Exploitation of these issues requires an attacker to have access to a virtual machine with a virtual USB controller present. These issues may allow a guest to execute code on the host.

Critical issue (b) VMware Workstation and Fusion contain an out-of-bounds write vulnerability in the e1000 virtual network adapter (CVE-2019-5524). This issue may allow a guest to execute code on the host.

Important issue (c) VMware Workstation and Fusion updates address an out-of-bounds write vulnerability in the e1000 and e1000e virtual network adapters (CVE-2019-5515). Exploitation of this issue may lead to code execution on the host from the guest but it is more likely to result in a denial of service of the guest.

Critical Issue (d) VMware Fusion contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket (CVE-2019-5514). An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines.

We would like to thank Fluoroacetate team of Amat Cama and Richard Zhu, working with the Pwn2Own 2019 Security Contest, researcher Zhangyanyu of Chaitin Tech, ZhanluLab working with Trend Micro’s Zero Day Initiative, CodeColorist (@CodeColorist) and Csaba Fitzl (@theevilbit) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today, VMware has released the following new security advisory:

“VMSA-2018-0031 – vRealize Operations updates address a local privilege escalation vulnerability”

This documents the remediation of an important severity local privilege escalation vulnerability (CVE-2018-6978) in vRealize Operations (vROps). The issue exists due to improper permissions of support scripts. Admin** user of the vROps application with shell access may exploit this issue to elevate the privileges to root on a vROps machine.

**The admin user (non-sudoer) should not be confused with root of the vROps machine.

We would like to thank Alessandro Zanni, pentester at OVH for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today, VMware has released the following new security advisory:

VMSA-2018-0025 – VMware ESXi, Workstation, and Fusion workarounds address a denial-of-service vulnerability

This documents an important severity denial-of-service vulnerability that affects VMware ESXi, Workstation and Fusion. This issue arises due to an infinite loop in the 3D-rendering shader. Successfully exploiting this issue may allow an attacker with normal user privileges in the guest to make the VM unresponsive, and in some cases, possibly result other VMs on the host or the host itself becoming unresponsive. The issue can only be exploited if 3D-acceleration feature is enabled

3D-acceleration feature is enabled by default on Workstation and Fusion. On ESXi, this feature is not enabled by default and this is also true for Horizon 6 & 7, Horizon DaaS Platform for Service Providers, and VMC on AWS.

Because many graphics API’s and hardware lack pre-emption support, a specially crafted 3D shader may loop for an infinite amount of time and lock up a VM’s virtual graphics device. Such a shader cannot always be validated by VMware hypervisors, since it may be well-formed but still cause problems if designed to run for an extremely long time. In such cases, VMware hypervisors then rely on the host’s graphics driver to ensure that other users of 3D graphics on the host are not impacted by the malicious VM. However, many graphics drivers may themselves get into to a denial-of-service condition caused by such infinite shaders, and as a result other VMs or processes running on the host might also be affected.

There is no patch for this issue, customers must review their risk and apply the workarounds if applicable. We have released workarounds documented in VMSA-2018-0025.

We would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Also, we wanted to make you aware that Intel has released a security bulletin entitled “INTEL-SA-00166 – Multiple potential security vulnerabilities in Intel Graphics Drivers may allow escalation of privilege or denial of service . Intel is releasing Intel Graphics Driver updates to mitigate these potential vulnerabilities”.

It documents the remediation of CVE-2018-12152, CVE-2018-12153 and CVE-2018-12154. These issues have been shown to affect VMware Workstation running on Windows. Therefore, we wanted to make sure you are informed of these issues so that they can be appropriately mitigated by the updates that Intel has provided in INTEL-SA-00166.

Customers should review the available documentation and direct technical inquiries to VMware Support for further assistance.

Today, VMware has released the following new and updated security advisories:

VMSA-2018-0022 – VMware Workstation and Fusion updates address an out-of-bounds write issue
VMSA-2018-0019.1 – Horizon 6, 7, Horizon Agent, and Horizon Client for Windows updates address an out-of-bounds read vulnerability

VMSA-2018-0022 documents the remediation of a critical severity out-of-bounds read vulnerability (CVE-2018-6973) in VMware Workstation and Fusion. Successfully exploiting this issue may allow allow a guest to execute code on the host. This issue has been addressed in VMware Workstation 14.1.3 and Fusion 10.1.3.

VMSA-2018-0019.1 was updated to clarify about affected products.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today, VMware has released the following new and updated security advisories:

VMSA-2018-0019 – Horizon 6, 7, and Horizon Client for Windows updates address an out-of-bounds read vulnerability
VMSA-2015-0007.7 – VMware vCenter and ESXi updates address critical security issues

VMSA-2018-0019 documents the remediation of an important severity out-of-bounds read vulnerability (CVE-2018-6970) in Horizon 6, 7, and Horizon Client for Windows. Successfully exploiting this issue may allow a less-privileged user to leak information from a privileged process running on a system where Horizon Connection Server, Horizon Agent or Horizon Client are installed. This issue doesn’t apply to Horizon 6, 7 Agents installed on Linux systems or Horizon Clients installed on non-Windows systems.

VMSA-2015-0007.7 was issued to add the patches for ESXi 6.0, 6.5 and 6.7 that address CVE-2015-5177. Recently, we found that this issue affects ESXi 6.0, 6.5 and 6.7.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today, VMware has released the following new security advisory:

“VMSA-2018-0017 – VMware Tools update addresses an out-of-bounds read vulnerability”

This documents the remediation of an important severity out-of-bounds read vulnerability (CVE-2018-6969) in VMware Tools. Successful exploitation of this issue may lead to information disclosure or may allow attackers to escalate their privileges on the guest VMs. File sharing must be enabled to be able to exploit this issue.

VMware Tools 10.x and prior versions are affected. This issue has been addressed in VMware Tools 10.3.0.

We would like to thank Anurudh for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today VMware has released the following new security advisory:

“VMSA-2018-0014 – VMware Horizon Client update addresses a privilege escalation vulnerability”

This documents the remediation of an important severity local privilege escalation
vulnerability (CVE-2018-6964) in VMware Horizon Client for Linux. Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on a Linux machine where Horizon Client is installed.

VMware Horizon Client for Linux 4.x and prior versions are affected. This issue has been addressed in VMware Horizon Client for Linux 4.8.0.

We would like to thank Nassim Abbaoui, pentester at OVH, for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today, VMware has released the following new security advisory:

“VMSA-2018-0013 – VMware Workstation and Fusion updates address signature bypass and multiple denial-of-service vulnerabilities”

This documents the remediation of an important severity issue (CVE-2018-6962) in VMware Fusion and moderate severity issues (CVE-2018-6963) in VMware Workstation and Fusion.

Issue (a) CVE-2018-6962 is signature bypass vulnerability which may lead to a local privilege escalation. This issue has been addressed in VMware Fusion 10.1.2.

Issue (b) CVE-2018-6963 is multiple denial-of-service vulnerabilities in the RPC handler. Exploitation of these issues may allow an attacker with limited privileges on the guest machine trigger a denial-of-service of their guest machine. These issue have been addressed in VMware Workstation 14.1.2 and Fusion 10.1.2.

We would like to thank CodeColorist of AntFinancial LightYear Security Labs, Hahna Latonick and Kevin Fujimoto working with Trend Micro’s Zero Day Initiative, and Bruno Botelho (@utxsec) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.