Vulnerabilities > CVE-2019-5520 - Out-of-bounds Read vulnerability in VMWare Esxi, Fusion and Workstation
Summary
VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-201903001), Workstation (15.x before 15.0.3 and 14.x before 14.1.6), Fusion (11.x before 11.0.3 and 10.x before 10.1.6) updates address an out-of-bounds read vulnerability. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure.The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family General NASL id VMWARE_WORKSTATION_VMSA_2019_0006.NASL description The version of VMware Workstation installed on the remote host is 14.x prior to 14.1.6 or 15.x prior to 15.0.3. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read vulnerability exists in the vertex shader component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5516) - An out-of-bounds read vulnerability exists in the shader translator component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5517) - An out-of-bounds read vulnerability in the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information. (CVE-2019-5520) Note virtual machines must be configured with the 3D-acceleration enabled. VMware Workstation defaults to this feature being enabled. last seen 2020-06-01 modified 2020-06-02 plugin id 124298 published 2019-04-25 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124298 title VMware Workstation 14.x < 14.1.6 / 15.x < 15.0.3 Multiple Vulnerabilities (VMSA-2019-0006) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(124298); script_version("1.3"); script_cvs_date("Date: 2019/10/30 13:24:46"); script_cve_id("CVE-2019-5516", "CVE-2019-5517", "CVE-2019-5520"); script_bugtraq_id(107878, 107879, 107880); script_xref(name:"VMSA", value:"2019-0006"); script_xref(name:"IAVA", value:"2019-A-0134"); script_name(english:"VMware Workstation 14.x < 14.1.6 / 15.x < 15.0.3 Multiple Vulnerabilities (VMSA-2019-0006)"); script_summary(english:"Checks the VMware Workstation version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote Windows host is affected by an uninitialized stack memory usage vulnerability."); script_set_attribute(attribute:"description", value: "The version of VMware Workstation installed on the remote host is 14.x prior to 14.1.6 or 15.x prior to 15.0.3. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read vulnerability exists in the vertex shader component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5516) - An out-of-bounds read vulnerability exists in the shader translator component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5517) - An out-of-bounds read vulnerability in the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information. (CVE-2019-5520) Note virtual machines must be configured with the 3D-acceleration enabled. VMware Workstation defaults to this feature being enabled. "); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2019-0006.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Workstation version 14.1.6, 15.0.3, or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5516"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/11"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"General"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_workstation_detect.nasl", "vmware_workstation_linux_installed.nbin"); script_require_keys("installed_sw/VMware Workstation"); exit(0); } include("vcf.inc"); if (get_kb_item("SMB/Registry/Enumerated")) win_local = TRUE; app_info = vcf::get_app_info(app:"VMware Workstation", win_local:win_local); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { "min_version" : "14", "fixed_version" : "14.1.6" }, { "min_version" : "15", "fixed_version" : "15.0.3" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2019-0006.NASL description a. VMware ESXi, Workstation and Fusion vertex shader out-of-bounds read vulnerability VMware ESXi, Workstation and Fusion updates address an out-of-bounds vulnerability with the vertex shader functionality. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5516 to this issue. b. VMware ESXi, Workstation and Fusion multiple shader translator out-of-bounds read vulnerabilities VMware ESXi, Workstation and Fusion contain multiple out-of-bounds read vulnerabilities in the shader translator. Exploitation of these issues requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for these issues involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. VMware would like to thank RanchoIce of Tencent Security ZhanluLab for reporting these issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5517 to these issues. c. VMware ESXi, Workstation and Fusion out-of-bounds read vulnerability VMware ESXi, Workstation and Fusion updates address an out-of-bounds read vulnerability. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. VMware would like to thank instructor working with Trend Micro last seen 2020-06-01 modified 2020-06-02 plugin id 124192 published 2019-04-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124192 title VMSA-2019-0006 : VMware ESXi, Workstation and Fusion updates address multiple out-of-bounds read vulnerabilities NASL family Misc. NASL id VMWARE_ESXI_VMSA-2019-0006.NASL description The remote VMware ESXi host is version 6.5 or 6.7 and is missing a security patch. It is, therefore, vulnerable to multiple vulnerabilities, including: - An out-of-bounds read vulnerability exists in the vertex shader component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5516) - An out-of-bounds read vulnerability exists in the shader translator component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5517) - An out-of-bounds read vulnerability in the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information. (CVE-2019-5520) Note virtual machines must be configured with the 3D-acceleration enabled. VMware ESXi defaults to this feature not being enabled. last seen 2020-06-01 modified 2020-06-02 plugin id 124300 published 2019-04-25 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124300 title ESXi 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0006) (Remote Check) NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_VMSA_2019_0006.NASL description The version of VMware Fusion installed on the remote macOS or Mac OS X host is 10.x prior to 10.1.6 or 11.x prior to 11.0.3. It is, therefore, affected by multiple vulnerabilities, including: - An out-of-bounds read vulnerability exists in the vertex shader component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5516) - An out-of-bounds read vulnerability exists in the shader translator component of the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service of the guest virtual machine. (CVE-2019-5517) - An out-of-bounds read vulnerability in the 3D-acceleration feature could allow an authenticated attacker to disclose sensitive information. (CVE-2019-5520) Note virtual machines must be configured with the 3D-acceleration enabled. VMware Fusion defaults to this feature being enabled. last seen 2020-06-01 modified 2020-06-02 plugin id 124299 published 2019-04-25 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124299 title VMware Fusion 10.x < 10.1.6 / 11.x < 11.0.3 Multiple Vulnerabilities (VMSA-2019-0005) (macOS)