Vulnerabilities > CVE-2019-5541 - Out-of-bounds Write vulnerability in VMWare Fusion and Workstation

047910
CVSS 9.1 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
vmware
CWE-787
critical
nessus

Summary

VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain an out-of-bounds write vulnerability in the e1000e virtual network adapter. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition on their own VM.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyWindows
    NASL idVMWARE_WORKSTATION_VMSA_2019_0021.NASL
    descriptionThe version of VMware Workstation installed on the remote Windows host is 15.0.x prior to 15.5.1. It is, therefore, affected by multiple vulnerabilities: - An unspecified information disclosure vulnerability in vmnetdhcp. (CVE-2019-5540) - An unspecified out-of-bounds write vulnerability in the e1000e virtual network adapter. (CVE-2019-5541) - An unspecified denial-of-service vulnerability in the RPC handler. (CVE-2019-5542) - Unspecified vulnerabilities related to hypervisor-specific mitigations for TSX Asynchronous Abort (TAA). (CVE-2019-11135)
    last seen2020-03-21
    modified2019-11-20
    plugin id131129
    published2019-11-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131129
    titleVMware Workstation 15.0.x < 15.5.1 Multiple Vulnerabilities (VMSA-2019-0020, VMSA-2019-0021)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131129);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/20");
    
      script_cve_id(
        "CVE-2019-5540",
        "CVE-2019-5541",
        "CVE-2019-5542",
        "CVE-2019-11135"
      );
      script_xref(name:"VMSA", value:"2019-0020");
      script_xref(name:"VMSA", value:"2019-0021");
    
      script_name(english:"VMware Workstation 15.0.x < 15.5.1 Multiple Vulnerabilities (VMSA-2019-0020, VMSA-2019-0021)");
    
      script_set_attribute(attribute:"synopsis", value:
    "A virtualization application installed on the remote Windows host is affected by multiple vulnerabilities");
      script_set_attribute(attribute:"description", value:
    "The version of VMware Workstation installed on the remote Windows host is 15.0.x prior to 15.5.1. It is, therefore,
    affected by multiple vulnerabilities:
    
      - An unspecified information disclosure vulnerability in vmnetdhcp. (CVE-2019-5540)
    
      - An unspecified out-of-bounds write vulnerability in the e1000e virtual network adapter. (CVE-2019-5541)
    
      - An unspecified denial-of-service vulnerability in the RPC handler. (CVE-2019-5542)
    
      - Unspecified vulnerabilities related to hypervisor-specific mitigations for TSX Asynchronous Abort (TAA).
        (CVE-2019-11135)");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2019-0020.html");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2019-0021.html");
      script_set_attribute(attribute:"solution", value:
    "Update to VMware Workstation version 15.5.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5541");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/11/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_workstation_detect.nasl");
      script_require_keys("SMB/Registry/Enumerated", "installed_sw/VMware Workstation");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    get_kb_item_or_exit('SMB/Registry/Enumerated');
    
    app_info = vcf::get_app_info(app:'VMware Workstation', win_local:TRUE);
    
    constraints = [
      { 'min_version' : '15.0', 'fixed_version' : '15.5.1' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FUSION_VMSA_2019_0021.NASL
    descriptionThe version of VMware Fusion installed on the remote macOS or Mac OS X host is 11.0.x prior to 11.5.1. It is, therefore, affected by multiple vulnerabilities: - An unspecified information disclosure vulnerability in vmnetdhcp. (CVE-2019-5540) - An unspecified out-of-bounds write vulnerability in the e1000e virtual network adapter. (CVE-2019-5541) - An unspecified denial-of-service vulnerability in the RPC handler. (CVE-2019-5542) - Unspecified vulnerabilities related to hypervisor-specific mitigations for TSX Asynchronous Abort (TAA). (CVE-2019-11135)
    last seen2020-03-21
    modified2019-11-20
    plugin id131128
    published2019-11-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131128
    titleVMware Fusion 11.0.x < 11.5.1 Multiple Vulnerabilities (VMSA-2019-0020, VMSA-2019-0021)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131128);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/20");
    
      script_cve_id(
        "CVE-2019-5540",
        "CVE-2019-5541",
        "CVE-2019-5542",
        "CVE-2019-11135"
      );
      script_xref(name:"VMSA", value:"2019-0020");
      script_xref(name:"VMSA", value:"2019-0021");
    
      script_name(english:"VMware Fusion 11.0.x < 11.5.1 Multiple Vulnerabilities (VMSA-2019-0020, VMSA-2019-0021)");
    
      script_set_attribute(attribute:"synopsis", value:
    "A virtualization application installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities");
      script_set_attribute(attribute:"description", value:
    "The version of VMware Fusion installed on the remote macOS or Mac OS X host is 11.0.x prior to 11.5.1. It is, therefore,
    affected by multiple vulnerabilities:
    
      - An unspecified information disclosure vulnerability in vmnetdhcp. (CVE-2019-5540)
    
      - An unspecified out-of-bounds write vulnerability in the e1000e virtual network adapter. (CVE-2019-5541)
    
      - An unspecified denial-of-service vulnerability in the RPC handler. (CVE-2019-5542)
    
      - Unspecified vulnerabilities related to hypervisor-specific mitigations for TSX Asynchronous Abort (TAA).
        (CVE-2019-11135)");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2019-0020.html");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2019-0021.html");
      script_set_attribute(attribute:"solution", value:
    "Update to VMware Fusion version 11.5.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5541");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/11/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:fusion");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_fusion_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "installed_sw/VMware Fusion");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    
    app_info = vcf::get_app_info(app:'VMware Fusion');
    
    constraints = [
      { 'min_version' : '11.0', 'fixed_version' : '11.5.1' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);