Vulnerabilities > CVE-2019-5516 - Out-of-bounds Read vulnerability in VMWare Esxi, Fusion and Workstation

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
PARTIAL
network
vmware
CWE-125
nessus

Summary

VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-201903001), Workstation (15.x before 15.0.3 and 14.x before 14.1.6), Fusion (11.x before 11.0.3 and 10.x before 10.1.6) updates address an out-of-bounds vulnerability with the vertex shader functionality. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familyGeneral
    NASL idVMWARE_WORKSTATION_VMSA_2019_0006.NASL
    descriptionThe version of VMware Workstation installed on the remote host is 14.x prior to 14.1.6 or 15.x prior to 15.0.3. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read vulnerability exists in the vertex shader component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5516) - An out-of-bounds read vulnerability exists in the shader translator component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5517) - An out-of-bounds read vulnerability in the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information. (CVE-2019-5520) Note virtual machines must be configured with the 3D-acceleration enabled. VMware Workstation defaults to this feature being enabled.
    last seen2020-06-01
    modified2020-06-02
    plugin id124298
    published2019-04-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124298
    titleVMware Workstation 14.x < 14.1.6 / 15.x < 15.0.3 Multiple Vulnerabilities (VMSA-2019-0006)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124298);
      script_version("1.3");
      script_cvs_date("Date: 2019/10/30 13:24:46");
    
      script_cve_id("CVE-2019-5516", "CVE-2019-5517", "CVE-2019-5520");
      script_bugtraq_id(107878, 107879, 107880);
      script_xref(name:"VMSA", value:"2019-0006");
      script_xref(name:"IAVA", value:"2019-A-0134");
    
      script_name(english:"VMware Workstation 14.x < 14.1.6 / 15.x < 15.0.3 Multiple Vulnerabilities (VMSA-2019-0006)");
      script_summary(english:"Checks the VMware Workstation version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A virtualization application installed on the remote Windows host is
    affected by an uninitialized stack memory usage vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of VMware Workstation installed on the remote
    host is 14.x prior to 14.1.6 or 15.x prior to 15.0.3. It is,
    therefore, affected by multiple vulnerabilities :
    
      - An out-of-bounds read vulnerability exists in the vertex
        shader component of the 3D-acceleration feature could
        allow an authenticated attacker to disclose sensitive
        information or cause a denial-of-service of the guest
        virtual machine. (CVE-2019-5516)
    
      - An out-of-bounds read vulnerability exists in the shader
        translator component of the 3D-acceleration feature could
        allow an authenticated attacker to disclose sensitive
        information or cause a denial-of-service of the guest
        virtual machine. (CVE-2019-5517)
    
      - An out-of-bounds read vulnerability in the
        3D-acceleration feature could allow an authenticated
        attacker to disclose sensitive information.
        (CVE-2019-5520)
    
    Note virtual machines must be configured with the 3D-acceleration
    enabled. VMware Workstation defaults to this feature being enabled.
    ");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2019-0006.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to VMware Workstation version 14.1.6, 15.0.3, or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5516");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/25");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"General");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_workstation_detect.nasl", "vmware_workstation_linux_installed.nbin");
      script_require_keys("installed_sw/VMware Workstation");
    
      exit(0);
    }
    
    include("vcf.inc");
    
    if (get_kb_item("SMB/Registry/Enumerated")) win_local = TRUE;
    
    app_info = vcf::get_app_info(app:"VMware Workstation", win_local:win_local);
    
    vcf::check_granularity(app_info:app_info, sig_segments:2);
    
    constraints = [
      { "min_version" : "14", "fixed_version" : "14.1.6" },
      { "min_version" : "15", "fixed_version" : "15.0.3" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
    
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2019-0006.NASL
    descriptiona. VMware ESXi, Workstation and Fusion vertex shader out-of-bounds read vulnerability VMware ESXi, Workstation and Fusion updates address an out-of-bounds vulnerability with the vertex shader functionality. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5516 to this issue. b. VMware ESXi, Workstation and Fusion multiple shader translator out-of-bounds read vulnerabilities VMware ESXi, Workstation and Fusion contain multiple out-of-bounds read vulnerabilities in the shader translator. Exploitation of these issues requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for these issues involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. VMware would like to thank RanchoIce of Tencent Security ZhanluLab for reporting these issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5517 to these issues. c. VMware ESXi, Workstation and Fusion out-of-bounds read vulnerability VMware ESXi, Workstation and Fusion updates address an out-of-bounds read vulnerability. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. VMware would like to thank instructor working with Trend Micro
    last seen2020-06-01
    modified2020-06-02
    plugin id124192
    published2019-04-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124192
    titleVMSA-2019-0006 : VMware ESXi, Workstation and Fusion updates address multiple out-of-bounds read vulnerabilities
  • NASL familyMisc.
    NASL idVMWARE_ESXI_VMSA-2019-0006.NASL
    descriptionThe remote VMware ESXi host is version 6.5 or 6.7 and is missing a security patch. It is, therefore, vulnerable to multiple vulnerabilities, including: - An out-of-bounds read vulnerability exists in the vertex shader component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5516) - An out-of-bounds read vulnerability exists in the shader translator component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5517) - An out-of-bounds read vulnerability in the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information. (CVE-2019-5520) Note virtual machines must be configured with the 3D-acceleration enabled. VMware ESXi defaults to this feature not being enabled.
    last seen2020-06-01
    modified2020-06-02
    plugin id124300
    published2019-04-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124300
    titleESXi 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0006) (Remote Check)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FUSION_VMSA_2019_0006.NASL
    descriptionThe version of VMware Fusion installed on the remote macOS or Mac OS X host is 10.x prior to 10.1.6 or 11.x prior to 11.0.3. It is, therefore, affected by multiple vulnerabilities, including: - An out-of-bounds read vulnerability exists in the vertex shader component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5516) - An out-of-bounds read vulnerability exists in the shader translator component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5517) - An out-of-bounds read vulnerability in the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information. (CVE-2019-5520) Note virtual machines must be configured with the 3D-acceleration enabled. VMware Fusion defaults to this feature being enabled.
    last seen2020-06-01
    modified2020-06-02
    plugin id124299
    published2019-04-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124299
    titleVMware Fusion 10.x < 10.1.6 / 11.x < 11.0.3 Multiple Vulnerabilities (VMSA-2019-0005) (macOS)

Talos

idTALOS-2019-0762
last seen2019-05-29
published2019-04-15
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0762
titleVMware Workstation 15 vertex shader functionality denial-of-service vulnerability