VMware VMSA-2019-0005 Addresses Five Vulnerabilities in ESXi, Workstation and Fusion

On March 28, VMWare published security advisories for vulnerabilities in VMware ESXi, Workstation and Fusion. VMSA-2019-0005 addresses five vulnerabilities including a pair of critical vulnerabilities that were revealed at the annual computer hacking contest Pwn2Own.

A research team called Fluoroacetate uncovered two bugs in the virtual USB 1.1 Universal Host Controller Interface (UHCI), an out-of-bounds read/write vulnerability (CVE-2019-5518) and a Time-of-check Time-of-use (TOCTOU) vulnerability (CVE-2019-5519) vulnerability. These bugs are local in nature, so an attacker would need to be able to access the virtual machine along with a virtual USB controller. Successful exploitation of these two bugs would result in the guest being able to execute code on the host environment.

Tweet from Ryan Naraine about these vulnerabilities from the event:

"Successful VM escape exploit. Impressive work by Amat Cama and Richard Zhu"

https://twitter.com/ryanaraine/status/1108489999840735235

Both of these bugs have been addressed in the following VMWare releases:

• VMWare ESXi 6.7: ESXi670-201903001
• VMWare ESXi 6.5: ESXi650-201903001
• VMWare ESXi 6.1:ESXi600-201903001
• VMWare Workstation 15.x: 15.0.4
• VMWare Workstation 14.x: 14.1.7
• VMWare Fusion 11.x (macOS): 11.0.3
• VMWare Fusion 10.x (macOS): 10.1.6

This release also contains fixes for a critical out-of-bounds write vulnerability (CVE-2019-5524) in VMWare Workstation and Fusion’s e1000 virtual network adapter that could also result in a guest being able to execute code on the host environment. This vulnerability only affects VMWare Workstation 14.x and VMWare Fusion 10.x (macOS) and has been addressed in Workstation 14.1.6 and Fusion 10.1.6.

Update 3/29: A list of Nessus plugins for this release can be found here as soon as they are released.

For more information about this release, please refer to VMWare’s Security Advisory page.