ASA-2019-00237 – VMware: Vertex shader out-of-bounds read vulnerability

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00237

Identifier(s)

ASA-2019-00237, CVE-2019-5516, VMSA-2019-0006

Title

Vertex shader out-of-bounds read vulnerability

Vendor(s)

VMware

Product(s)

VMware ESXi
VMware Workstation
VMware Fusion

Affected version(s)

VMware ESXi 6.7
VMware ESXi 6.5
VMware Workstation 15.x
VMware Workstation 14.x
VMware Fusion 11.x
VMware Fusion 10.x

Fixed version(s)

VMware 6.7 ESXi670-201904101-SG
VMware 6.5 ESXi650-201903001
VMware Workstation 15.0.3
VMware Workstation 14.1.6
VMware Fusion 11.0.3
VMware Fusion 10.1.6

Proof of concept

Unknown

Description

VMware ESXi, Workstation and Fusion updates address an out-of-bounds vulnerability with the vertex shader functionality.  Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled.  Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.  The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

Technical details

Unknown

Credits

Piotr Bania (Cisco Talos)

Reference(s)

VMSA-2019-0006
https://www.vmware.com/security/advisories/VMSA-2019-0006.html

CVE-2019-5516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5516

CVE-2019-5516
https://nvd.nist.gov/vuln/detail/CVE-2019-5516

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 16, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.