VMware released multiple updates today to address five critical severity vulnerabilities in the VMware vSphere ESXi, VMware Workstation Pro / Player, and VMware Fusion Pro / Fusion, two of which were used in their demos by Fluoroacetate during the Pwn2Own 2019 Security Contest.
The first two impact VMware ESXi, Workstation, and Fusion, and were reported by the Fluoroacetate team (Amat Cama and Richard Zhu) after the first and second day of this year's Pwn2Own Security Contest.Fixed vulnerabilities could lead to code execution and DoS attacks
More exactly, they used an out-of-bounds read/write vulnerability (now tracked as CVE-2019-5518) and a Time-of-check Time-of-use (TOCTOU) vulnerability impacting the virtual USB 1.1 UHCI (Universal Host Controller Interface) (tracked as CVE-2019-5519) to successfully execute code on the host from the guest.
Another out-of-bounds write critical severity vulnerability reported by Zhangyanyu of Chaitin Tech in the e1000 virtual network adapter (CVE-2019-5524) impacts VMware Workstation and Fusion, and may enable a guest to execute code on the host OS code execution.
VMware Workstation and Fusion were also found to be vulnerable to an important severity "out-of-bounds write vulnerability in the e1000 and e1000e virtual network adapters" reported by ZhanluLab (tracked as CVE-2019-5515), leading "to code execution on the host from the guest but it is more likely to result in a denial of service of the guest."
According to VMware's VMSA-2019-0005 security advisory, this last issue was reported by CodeColorist and Csaba Fitzl, and it is currently being tracked as CVE-2019-5514.
To address all these critical and important severity vulnerabilities, VMware has released patches for ESXi 6.0.0, 6.5.0, and 6.7.0, and the VMware Workstation 15.0.4 & 14.1.7 (Pro and Player) and Fusion 11.0.3 & 10.1.6 software updates.
VMware also released a security advisory detailing a critical severity Remote Session Hijack vulnerability impacting VMware vCloud Director for Service Providers (vCD) version 9.5.x.
This security issue is tracked as CVE-2019-5523, was fixed in the vCD 220.127.116.11 release, and it was reported by Tyler Flaagan, Eric Holm, Andrew Kramer, and Logan Stratton of Dakota State University.