Vulnerabilities > CVE-2019-5521 - Out-of-bounds Read vulnerability in VMWare Esxi, Fusion and Workstation
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
PARTIAL Summary
VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-201903001), Workstation (15.x before 15.0.3 and 14.x before 14.1.6) and Fusion (11.x before 11.0.3 and 10.x before 10.1.6) contain an out-of-bounds read vulnerability in the pixel shader functionality. Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host. Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family Misc. NASL id VMWARE_ESXI_VMSA-2019-0012.NASL description The remote VMware ESXi host is version 6.5 or 6.7 and is affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 128035 published 2019-08-20 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128035 title ESXi 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0012) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(128035); script_version("1.2"); script_cvs_date("Date: 2019/10/17 14:31:04"); script_cve_id("CVE-2019-5521", "CVE-2019-5684"); script_bugtraq_id(93287); script_xref(name:"VMSA", value:"2019-0012"); script_xref(name:"IAVA", value:"2019-A-0278"); script_name(english:"ESXi 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0012)"); script_summary(english:"Checks the ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi host is missing a security patch and is affected by pixel shader out-of-bounds read/write vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote VMware ESXi host is version 6.5 or 6.7 and is affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2019-0012.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch as referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5684"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/02"); script_set_attribute(attribute:"patch_publication_date", value:"2019/08/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/20"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release", "Settings/ParanoidReport"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); if (report_paranoia < 2) audit(AUDIT_PARANOID); fixes = make_array( '6.5', '13932383', '6.7', '13981272' ); rel = get_kb_item_or_exit('Host/VMware/release'); if ('ESXi' >!< rel) audit(AUDIT_OS_NOT, 'ESXi'); ver = get_kb_item_or_exit('Host/VMware/version'); match = pregmatch(pattern:'^ESXi? ([0-9]+\\.[0-9]+).*$', string:ver); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.5 / 6.7'); ver = match[1]; if (ver !~ '^6\\.(5|7)$') audit(AUDIT_OS_NOT, 'ESXi 6.5 / 6.7'); fixed_build = int(fixes[ver]); if (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver); match = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.5 / 6.7'); build = int(match[1]); if (!(build < fixed_build)) audit(AUDIT_INST_VER_NOT_VULN, 'VMware ESXi', ver + ' build ' + build); report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);NASL family Windows NASL id VMWARE_WORKSTATION_WIN_VMSA_2019_0012.NASL description The version of VMware Workstation installed on the remote Windows host is 14.0.x prior to 14.1.6 or 15.0.x prior to 15.0.3. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127138 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127138 title VMware Workstation 14.0.x < 14.1.6 / 15.0.x < 15.0.3 Pixel Shader out-of-bounds read/write vulnerabilities (VMSA-2019-0012) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2019-0012.NASL description Pixel shader vulnerabilities VMware ESXi, Workstation and Fusion contain out-of-bounds read/write vulnerabilities in the pixel shader functionality. Exploitation of these issues require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. Successful exploitation of the out-of-bounds read issue (CVE-2019-5521) may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host. The out-of-bounds write issue (CVE-2019-5684) can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of this issue may lead to code execution on the host. Customers should check NVIDIA security advisory for additional information. last seen 2020-06-01 modified 2020-06-02 plugin id 127807 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127807 title VMSA-2019-0012 : Out-of-bounds pixel shader vulnerabilities NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_VMSA_2019_0012.NASL description The version of VMware Fusion installed on the remote macOS or Mac OS X host is 10.0.x prior to 10.1.6 or 11.0.x prior to 11.0.3. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127135 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127135 title VMware Fusion 10.0.x < 10.1.6 / 11.0.x < 11.0.3 Pixel Shader out-of-bounds read/write vulnerabilities (VMSA-2019-0012)