VMware released updates to address vulnerabilities in
Amat Cama and Richard Zhu of team Fluoroacetate earned $70,000 for escaping a VMware Workstation virtual machine and executing code on the underlying host operating system.
At Pwn2Own 2019, Amat Cama and Richard Zhu of team Fluoroacetate demonstrated two VMware Workstation vulnerabilities, including one that was leveraged in a complex exploit targeting Microsoft’s Edge browser. They earned $70,000 for escaping a VMware Workstation virtual machine and executing code on the underlying host operating system, and $130,000 for the Edge exploit.
VMware released security updates for macOS version of ESXi, Workstation, and Fusion.
The critical vulnerabilities are an out-of-bounds read/write vulnerability (CVE-2019-5518) and a Time-of-Check-Time-of-Use (TOCTOU) issue (CVE-2019-5519) that reside in the virtual USB 1.1 Universal Host Controller Interface (UHCI).
“VMware ESXi, Workstation and Fusion contain an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). ” reads the security advisory published by the company.
“Exploitation of these issues requires an attacker to have access to a virtual machine with a virtual USB controller present. These issues may allow a guest to execute code on the host. ”
VMware has also patched a critical out-of-bounds write vulnerability affecting the e1000 virtual network adapter used by Workstation and Fusion on macOS. The vulnerability, tracked as CVE-2019-5524, could be exploited by a guest to execute arbitrary code on the host. The company credited Zhangyanyu of Chinese company Chaitin Tech for the
The company addressed a similar flaw affecting Workstation and Fusion in the e1000 and e1000e virtual network adapters. The flaw, rated as “important,” could be exploited to get code execution on the host from the guest operating system.
VMware also addressed a critical vulnerability in Fusion 11.x running on macOS (CVE-2019-5514).
“VMware Fusion contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket.” continues the advisory.
The company also addressed a critical vulnerability (CVE-2019-5523) affecting vCloud Director for Service Providers that impacts version 9.5.x on any platform. The flaw could be exploited by a remote attacker to hijack sessions for the Tenant and Provider portals by impersonating a currently logged-in session.