VMware has released security updates (VMSA-2019-0009) to address vulnerabilities in VMware Tools and Workstation products.
The VMware Tools and Workstation updates fix out of bounds read and use-after-free vulnerabilities as noted below.
In the first update, VMware addresses an out of bounds read vulnerability (CVE-2019-5522) in vm3dmp driver that comes installed with vmtools in Windows guest machines.
As a result, a local attacker with even non-administrative rights to Windows guest running VMware Tools could leak kernel data. In addition, the attacker could also create denial of service attack on the Windows guest system.
VMware rates the vulnerability ‘Important’ and CVSSv3 score of 7.1. For that reason, users should upgrade VMware Tools for Windows 10.x to 10.3.10 to resolve this issue.
In the second update, VMware addresses a use-after-free vulnerability (CVE-2019-5525) in the Advanced Linux Sound Architecture (ALSA) backend.
Consequently, a malicious actor with normal user privileges on a guest machine may exploit the vulnerability to execute code on a Linux host where Workstation is installed.
VMware rates the vulnerability ‘Important’ and CVSSv3 score of 8.5. Thus, users should update Workstation 15.x to 15.1.0 to resolve this issue as soon as possible.
In conclusion, users and administrators should update both VMware Tools and Workstation as soon as possible. See VMware advisory (VMSA-2019-0009) for more details.