VMware has released security updates for two vulnerabilities that impact VMware ESXi, Workstation and Fusion products.
The VMware updates address out-of-bounds read/write vulnerabilities (CVE-2019-5521 and CVE-2019-5684) in the pixel shader functionality.
As a result, an attacker can exploit these flaws on virtual machines with 3D graphics enabled. VMware says this feature is not enabled on ESXi by default, but is enabled by default on Workstation and Fusion.
In addition, the attack vectors of each issue and impact are each described below.
Out-of-bounds read issue (CVE-2019-5591): Successful exploitation could lead to information disclosure or allow attackers to create a denial-of-service condition on affected host.
Out-of-bounds write issue (CVE-2019-5684): Successful exploitation of issue on host running an affected NVIDIA graphics driver may lead to code execution on the host.
The impacted VMware products include:
- VMware vSphere ESXi (ESXi)
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion).
Moreover, the advisory confirmed ESXi 6.0 is not impacted by the issues.
Organizations can resolve the issues by applying VMware patches or by installing the updated NVIDIA graphics driver (for CVE-2019-5684). Alternatively, users can disable the 3D-acceleration feature as a workaround.
Finally, VMware rates the security advisory (VMSA-2019-0012) as Important with CVSS v3 score ranges between 6.3 and 8.5. VMware also credited Piotr Bania of Cisco Talos for reporting each of the issues to the company.