VMware addressed vulnerabilities disclosed at Pwn2Own 2019

VMware released security updates to address vulnerabilities in its vCloud Director, ESXi, Workstation and Fusion products. The company also fixed the security flaws disclosed at the Pwn2Own 2019 hacking competition.

VMware released updates to address vulnerabilities in vCloud Director, ESXi, Workstation and Fusion products, including ones disclosed at the Pwn2Own 2019.

Amat Cama and Richard Zhu of team Fluoroacetate earned $70,000 for escaping a VMware Workstation virtual machine and executing code on the underlying host operating system.

At Pwn2Own 2019, Amat Cama and Richard Zhu of team Fluoroacetate demonstrated two VMware Workstation vulnerabilities, including one that was leveraged in a complex exploit targeting Microsoft’s Edge browser. They earned $70,000 for escaping a VMware Workstation virtual machine and executing code on the underlying host operating system, and $130,000 for the Edge exploit.

VMware released security updates for macOS version of ESXi, Workstation, and Fusion.

The critical vulnerabilities are an out-of-bounds read/write vulnerability (CVE-2019-5518) and a Time-of-Check-Time-of-Use (TOCTOU) issue (CVE-2019-5519) that reside in the virtual USB 1.1 Universal Host Controller Interface (UHCI).

“VMware ESXi, Workstation and Fusion contain an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). ” reads the security advisory published by the company.

“Exploitation of these issues requires an attacker to have access to a virtual machine with a virtual USB controller present. These issues may allow a guest to execute code on the host. ”

VMware has also patched a critical out-of-bounds write vulnerability affecting the e1000 virtual network adapter used by Workstation and Fusion on macOS. The vulnerability, tracked as CVE-2019-5524, could be exploited by a guest to execute arbitrary code on the host. The company credited Zhangyanyu of Chinese company Chaitin Tech for the vulnerability.

The company addressed a similar flaw affecting Workstation and Fusion in the e1000 and e1000e virtual network adapters. The flaw, rated as “important,” could be exploited to get code execution on the host from the guest operating system.

VMware also addressed a critical vulnerability in Fusion 11.x running on macOS (CVE-2019-5514).

“VMware Fusion contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket.” continues the advisory.

“An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines,”

The company also addressed a critical vulnerability (CVE-2019-5523) affecting vCloud Director for Service Providers that impacts version 9.5.x on any platform. The flaw could be exploited by a remote attacker to hijack sessions for the Tenant and Provider portals by impersonating a currently logged-in session.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Pwn2Own 2019 , VMware)

[adrotate banner=”5″]

[adrotate banner=”13″]