Allele Security Intelligence - ASA-2019-00562 – VMware ESXi, Workstation, Fusion, Remote Console and Horizon Client: Use-after-free vulnerability in the virtual sound device

Allele Security Alert

ASA-2019-00562

Identifier(s)

ASA-2019-00562, CVE-2019-5527, VMSA-2019-0014

Title

Use-after-free vulnerability in the virtual sound device

Vendor(s)

VMware

Product(s)

VMware ESXi

VMware Workstation

VMware Fusion

VMware Remote Console

VMware Horizon Client

Affected version(s)

VMware ESXi 6.7 versions before ESXi670-201904101-SG
VMware ESXi 6.5 versions before ESXi650-201903401-SG
VMware ESXi 6.0 versions before ESXi600-201909101-SG

VMware Workstation 15.x versions before 15.5.0

VMware Fusion 11.x versions before 11.5.0

VMware Remote Console for Windows 10.x versions before 10.0.5
VMware Remote Console for Linux 10.x versions before 10.0.5

VMware Horizon Client for Windows 5.x versions before 5.2.0
VMware Horizon Client for Linux 5.x versions before 5.2.0
VMware Horizon Client for Mac 5.x versions before 5.2.0

Fixed version(s)

VMware ESXi 6.7 version ESXi670-201904101-SG
VMware ESXi 6.5 version ESXi650-201903401-SG
VMware ESXi 6.0 version ESXi600-201909101-SG

VMware Workstation 15.x version 15.5.0

VMware Fusion 11.x version 11.5.0

VMware Remote Console for Windows 10.x version 10.0.5
VMware Remote Console for Linux 10.x version 10.0.5

VMware Horizon Client for Windows 5.x version 5.2.0
VMware Horizon Client for Linux 5.x version 5.2.0
VMware Horizon Client for Mac 5.x version 5.2.0

Proof of concept

Unknown

Description

ESXi, Workstation, Fusion, VMRC and Horizon Client contain a use-after-free vulnerability in the virtual sound device. A local attacker with non-administrative access on the guest machine may exploit this issue to execute code on the host.

Technical details

Unknown

Credits

Will Dormann (CERT/CC) and wenqunwang (Codesafe Team of Legendsec at Qi’anxin Group)

Reference(s)

VMSA-2019-0014.1
https://www.vmware.com/security/advisories/VMSA-2019-0014.html

CVE-2019-5527
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5527

CVE-2019-5527
https://nvd.nist.gov/vuln/detail/CVE-2019-5527

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 21, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

ASA-2019-00562 – VMware ESXi, Workstation, Fusion, Remote Console and Horizon Client: Use-after-free vulnerability in the virtual sound device

Allele Security Alert

ASA-2019-00562

Identifier(s)

Title

Vendor(s)

Product(s)

Affected version(s)

Fixed version(s)

Proof of concept

Description

Technical details

Credits

Reference(s)

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Like this:

Related

Allele Security Alert

ASA-2019-00562

Identifier(s)

Title

Vendor(s)

Product(s)

Affected version(s)

Fixed version(s)

Proof of concept

Description

Technical details

Credits

Reference(s)

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Share this:

Like this:

Related