VMware Workstation and Fusion contain a network denial-of-service vulnerability due to improper handling of certain IPv6 packets. An attacker may exploit this issue by sending a specially crafted IPv6 packet from a guest machine on the VMware NAT to disallow network access for all guest machines using VMware NAT mode. This issue can be exploited only if IPv6 mode for VMNAT is enabled.
ESXi, Workstation, Fusion, VMRC and Horizon Client contain a use-after-free vulnerability in the virtual sound device. A local attacker with non-administrative access on the guest machine may exploit this issue to execute code on the host.
Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties.
An information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.
ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell.
VMware ESXi, Workstation and Fusion contain out-of-bounds read/write vulnerabilities in the pixel shader functionality. Exploitation of these issues require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. Successful exploitation of the out-of-bounds read issue (CVE-2019-5521) may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host. The out-of-bounds write issue (CVE-2019-5684) can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of this issue may lead to code execution on the host.
Multiple failed login attempts to ESXi may cause the hostd service to become unresponsive resulting in a partial denial of service for management functionality. A malicious actor with network access to an ESXi host could create a partial denial of service condition in management functionality. Successful exploitation of this issue may cause hostd to become unresponsive resulting in conditions such as an ESXi host disconnecting from vCenter.
A crafted sequence of SACKs will fragment the TCP retransmission queue, causing resource exhaustion. A malicious actor must have network access to an affected system including the ability to send traffic with low MSS values to the target. Successful exploitation of these issues may cause the target system to crash or significantly degrade performance.