cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
- From: Terry Fleury <tfleury@illinois.edu>
- To: cv-announce@trustedci.org
- Subject: [cv-announce-l] VMware Multiple Vulnerabilities (VMSA-2019-0005)
- Date: Tue, 2 Apr 2019 10:22:26 -0500
- Authentication-results: external-relay.iu.edu; spf=None smtp.pra=tfleury@illinois.edu; spf=Neutral smtp.mailfrom=tfleury@illinois.edu; spf=None smtp.helo=postmaster@relay2-d.mail.gandi.net; dkim=none (message not signed) header.i=none; dmarc=fail (p=none dis=none) d=illinois.edu
- Ironport-phdr: 9a23:gaFjpR/kYz6Wuf9uRHKM819IXTAuvvDOBiVQ1KB31eIcTK2v8tzYMVDF4r011RmVBNyds6oP1bae8/i5HzBZudDZ6DFKWacPfidNsd8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3wOgVvO+v6BJPZgdip2OCu4Z3TZBhDiCagbb9oIxi6sBjdutMKjYd+Jao8yxTEqWZMd+hK2G9kP12ekwvg6suq4JJv7yFcsO89+sBdVqn3Y742RqFCAjQ8NGA16szrtR3dQgaK+3ARTGYYnAdWDgbc9B31UYv/vSX8tupmxSmVJtb2QqwuWTSj9KhkVhnlgzoaOjEj8WHXjstwjL9HoB+kuhdyzZLYbJ2TOfFjeK7WYNEUSndbXstJSSJPAp6yYYgBAeUPMulXs4bzqkASrRa8HwSgGP/jxzFKi3LwwKY00/4hEQbD3AE4AdwBrm7UrM/1NawPUe61yLfHzSjZb/JWxDzw75TIch4lof6SQLJwa8rQxFIuFwPBilWQqIrlPzSU1uQWqWSU8fdvVf+2hmMhtgp/rD+vxsI2hYnIgIIY0lXE9SRlwIYvO9K0Ukl7YcSrEJdIqSGaMoV3Tdk4Q252oio11roGuZujcCgW0pQn2gXfa+CZfIeV/h3jVfydITBihHJqfr+0mhW88VC4x+HiS8W50kxGoyhZntXWq3wA1BLe5tKaRvZ58UqtwSuD2g/O5u1ePEw5mrTXJ4Q/zrItjJYevkTOEynrk0vslqCWbF8r+u2w5uTnfLrmopicOpduig7gNqQhgMy+DfohPgcTRWSb/P6z1Lzn/UHjT7VFlPs2nbTYsJzAI8QUuLK5DxdU0oYl9Rm/Ey+r3MoFkXQFNl5Ieg6Lg5L0N1zNLv30F+qzjlCjnTtzwvDJJLzhApHDLnjZl7fheK5w61JSyAo3099f+ohUC7EaLfLyXk/xsN3YDhk+Mwy12ObrEsty2Z4DWW6XGK+WLLvSsUOU5uIoO+SDeJEVtC/nJPgj4f7uimI5mVkBcqa3xJcXbGu1HvBnI0WCfXrgmNYBEXoQsgUgUePqlQ7KbTkGbGj3VqQ64Sw9A4+OEZ3eXZygjLeAmiChEc54fGdDX2yBC235P6uAVuoWeWrGPsFlnyEeRJCgT4sg0xavr0n3x6cxfbmcwTERqZ+2jIs93ObUjxxnrWEmI+G06UrUFj8mxickQjYs15pyqktnxgXLyf1+hPpVUZRL7O8cC19icdbH17k+Q9n+WQPEK83NAF+9WtvzG3V5VM84luxOLEp4Es+puQre1gKnBrYUk7CGCpEy6a+ax2L2IMhlzHfAyO8qiFxpBoMWbTH22/Ehr0nmQ4jOlUjDzfSDaLgc0SjR9WyK0WuJugRiXRVtVbneBy1CNEbGsdnj4ErGCqWjDb02dApcj8OON/gCccXn2HNBQvqrI9HCeySpgW7lGRiMy66WfaLrf2Ec2iLcEw4Jnx1AtW2eO10YCzq9uWvaRCdrCUqpZkrt9edkr3buUkEwwhyQfmVg0760/BkUnrqRR+5AlqkctnIHrDN5VE24w8qQC9eEoF95e75AZNom/Fpd/XjUswVsZNmsaaVrh1pYfA1xs0Ko0RhrWc1Mkskv+XUtygc6aaeVy0hIeD7Q25fscqbWJW//8FHna6Pf1lzEltfD/KAJ5adwp1Dqpgr8GEMj9z0ny4xT1H2RrpnLF18UVpT8Ew47ohl+o7DcZSgmoY7YyCQ2Y5O5uTLDxd8lQdAd5E34JoV5N6WJXE//A9EXHc6nLKkwllygf1QFIaZf+LNmd8WhP+CL3qKmJq5pgS6mgGJb4Yt8zlPplWI0S+jG2IwAyu2Z2Q3PXin1jVOouMT60Y5eYjRaEm26wCniTIlfLrF8eYsWE3aGIsmzx9N5hoWrVnJFtTvBTxsH1MKvZRuOfgnlxwQDnU8ToHGhhW6512kuym5v8fLZhXyVhb2zKEliWCYDXmRpgFbyLJLhgsAGUVKuZgxsjhah7Fe8xrUdqahifAyxCQ9FeTb7K2Z6X+6+rL2HNoRT5pclrD9GeOW4ZVGcTb/m5RYWzmmwegkWjCB+bDystpjjylZmhmaQMWxihHvdfcB2whbEotHQWLQCu1hODDk9gj7RCF+mOtCv9tjBjJbPvNe1UGe5X4FSey3mlNnSjiaw6Gx0DBH6pMidxY29Qy43zDPh3t0iFSjYsBvmZIDvkr63Net2OEh1QlLw9pgyFoZ7m4o2zJYevBpSzomb+Xcai3bbMNFf2KT5bWFLSDIWi9LS7ROt3kp/ZnuS3I/jSj2CwsZ9Z9SgKmQMkiQ686UoQO/OteMCwnMz+wrj61uAPbB8hX8FxOEr6WIGju1BowcrwiiHQ/gTEUReIS3whkGN5tG6or9QYTXKE/D4305/kNa9SbCa91sFBzCmItF7TXQ2t5QjYxrW3Xb+65/pYozdfc4erBudl1LaguxcOdQwi7wHiTc0XAC19XAj1eM/igRjmJ+gu43SYXlj+K+kGA9wNznxZsUU+yqrgKpD1JXzvcjnDtB6FzMHUYG9B+6mFD8Pr+XPNgKKETs7q2zdFLbCV1z6ig8uvzfEFJalMGuSLX8SwIB5RRWTE0dYhRgdQDQwmpNqXhDv3sHqd111oywA/lOt4AUZ0fpmblOsNwWX7BftcDo/T4KTaQZb/h0XrVmAKtSQt6pyB30Kp8fx6lXSdirDIVwPVD9BW1TYVQm4Zv/3v4eGq67AQbPgSpmGKbSW9b4HBq3OnM3pis0+uG/SfsSXYis9VbtghAwdATYhXJ2J0zQXFX5NyXiVPZbJqU/kqH8w8pDakryjWRqzt9XTTeEId4wwpVbuxv3bf++I2HQjcWoeh8hKnTmQj+FOlF8K1XM0KWP1Q+tR536VFPqCyOgLX3t5I2tyLJcatv5lmFARY4iDzIuyj+Awj+ZpWQgfEwWw3JvyPYpQfjj1NUubVh/bcu7fe3uSk5qxOvrZK/UYjf0I5UTg/2zBSwm6Z2jFzmaxHxG3bbMV3GfBZUwY5tz7LEklCHC/Hou2LEfib5ku0GRwmOxk4xGCfW8EbWolIwUU/u3WtHIDxKwiQiRA9iY3dLLCxnbftbWFbMxP6LNqGngmzrMLpi5hkv0Mt30CG6cQ+mOar9hlp0yqn7uKynxtVBNFqTxMjZiH+05lPO3Y8JJERHrJrgkV4yOIERMWqtB5C9rp/adN1tzIk6G1IzBHlrCctZwVA8yecZjVCncqPBv3FTKRNzMrFmXzZ0fYgUEV0PyC6nCPqJE+74LhnJMfDL5GElE5C6FSDEMtB9EELJptFjo5jb6WitIJ7nuivXyzDI1buJ7ATPebHfToLn6Qk7BFYxICxb6wI54UM8X33Elra18ym4qveQKYRddWvihodRM5um1X/Xx3Xzd21wTgYwKppnAaE/K12Bg7lko2YOgg8ivt/0ZiJlfOo3hV8gF5ktHkjDaNNT/pef3pAscJU2yt5xN3a8KnEE5vYAa/nFJpLmLJV65clb1pcSVxhQvVqN1OBLhRQbAXBX1YjfyRefgs1kxR7yu9wkoSr/fLDZZ/jhoCcJqornRH2hklYdIob/+1RuIB3h1Li6SCszX9nPg22xMbLl0R/Xm6YiMMsV1Sc7VgIiOp+qpj4AqOmn1FdXRGBJ9I6rp6s0g6PeqH1Sfp1bVOf1uwO+KoJKSco2HclMSMTwphhHNNrFFM+P1N6elmdkOVU041y77IS0YIMc7DLwZUdIxf+GWBJ3/S49WI+op8OsCGLs6tVfWH7fpGg0agHQAuHp9K48gcTMH1jRPoaPz/JbtA8i0DoQTmIFLfUaZTdRaCgW1Cr4e6xZ5zm4ZUID0cR2NwLXfv6w==
CI Operators:
VMware has announced updates to its product line addressing multiple
critical vulnerabilities [1] which may allow a guest to execute
arbitrary code on the host.
1. VMware Fusion contains a security vulnerability due to certain
unauthenticated APIs accessible through a web socket.
(CVE-2019-5514 [2])
2. VMware Workstation and Fusion updates address an out-of-bounds write
vulnerability in the e1000 and e1000e virtual network adapters.
(CVE-2019-5515 [3])
3. VMware ESXi, Workstation, and Fusion contain an out-of-bounds
read/write vulnerability (CVE-2019-5518 [4]) and a Time-of-check
Time-of-use vulnerability in the virtual USB 1.1 Universal Host
Controller Interface. (CVE-2019-5519 [5])
4. VMware Workstation and Fusion contain an out-of-bounds write
vulnerability in the e1000 virtual network adapter.
(CVE-2019-5524 [6])
Impacts:
1. An attacker may exploit this issue by tricking the host user to
execute a JavaScript to perform unauthorized functions on the guest
machine where VMware Tools is installed. This may further be
exploited to execute commands on the guest machines.
2. Exploitation of this issue may lead to code execution on the host
from the guest but it is more likely to result in a denial of service
of the guest.
3. Exploitation of these issues requires an attacker to have access to a
virtual machine with a virtual USB controller present. These issues
may allow a guest to execute code on the host.
4. This issue may allow a guest to execute code on the host.
Recommendation:
Apply patches based on the version and VMware product being used.
* vSphere ESXi 6.0, 6.5, 6.7 :
https://my.vmware.com/group/vmware/patch
* Workstation Pro 14.1.6, 14.1.7, 15.0.3, 15.0.4 :
https://www.vmware.com/go/downloadworkstation
* Workstation Player 14.1.6, 14.1.7, 15.0.3, 15.0.4 :
https://www.vmware.com/go/downloadplayer
* Fusion Pro / Fusion 10.1.6, 11.0.3 :
https://www.vmware.com/go/downloadfusion
Affected Software:
* VMware vSphere ESXi 6.0, 6.5, 6.7
* VMware Workstation Pro / Player 14.x, 15.x
* VMware Fusion Pro / Fusion 10.x, 11.x
References:
[1] https://www.vmware.com/security/advisories/VMSA-2019-0005.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5514
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5515
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5518
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5519
[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5524
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate
response, depends in part on operational conditions that are unique to
each cyberinfrastructure deployment. Trusted CI can not provide a one-
size-fits-all severity rating and response recommendation for all NSF
cyberinfrastructure. Please contact us (http://trustedci.org/help/) if
you need assistance with assessing the potential impact of this
vulnerability in your environment and/or you have additional information
about this issue that should be shared with the community.
- [cv-announce-l] VMware Multiple Vulnerabilities (VMSA-2019-0005), Terry Fleury, 04/02/2019
Archive powered by MHonArc 2.6.24.