-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.3564.2
 VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address
           use-after-free and denial of service vulnerabilities
                             23 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware ESXi
                   VMware Workstation
                   VMware Fusion
                   VMware VMRC
                   VMware Horizon Client
Publisher:         VMWare
Operating System:  Windows
                   Mac OS
                   Linux variants
                   Virtualisation
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-5535 CVE-2019-5527 

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2019-0014.html

Revision History:  September 23 2019: Vendor updated the advisory - issue 3a
                                      is not affected by whether a sound device
                                      is connected.
                   September 20 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

VMware Security Advisories

+-----------------------------------------------------------------------------+
|Advisory |VMSA-2019-0014                                                     |
|ID       |                                                                   |
|---------+-------------------------------------------------------------------|
|Advisory |Important                                                          |
|Severity |                                                                   |
|---------+-------------------------------------------------------------------|
|CVSSv3   |4.7-8.5                                                            |
|Range    |                                                                   |
|---------+-------------------------------------------------------------------|
|         |VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates  |
|Synopsis |address use-after-free and denial of service vulnerabilities.      |
|         |(CVE-2019-5527, CVE-2019-5535)                                     |
|---------+-------------------------------------------------------------------|
|Issue    |2019-09-19                                                         |
|Date     |                                                                   |
|---------+-------------------------------------------------------------------|
|Updated  |2019-09-19 (Initial Advisory)                                      |
|On       |                                                                   |
|---------+-------------------------------------------------------------------|
|CVE(s)   |CVE-2019-5527, CVE-2019-5535                                       |
+-----------------------------------------------------------------------------+

1. Impacted Products

  * VMware vSphere ESXi (ESXi)
  * VMware Workstation Pro / Player (Workstation)
  * VMware Fusion Pro / Fusion (Fusion)
  * VMware Remote Console  for Windows (VMRC for Windows)
  * VMware Remote Console  for Linux (VMRC for Linux)
  * VMware Horizon Client for Windows
  * VMware Horizon Client for Linux
  * VMware Horizon Client for Mac

2. Introduction

VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates
address use-after-free and denial-of-service vulnerabilities.

  * CVE-2019-5527: ESXi, Workstation, Fusion, VMRC and Horizon Client
    use-after-free vulnerability
  * CVE-2019-5535: VMware Workstation and Fusion network denial-of-service
    vulnerability

3a. ESXi, Workstation, Fusion, VMRC and Horizon Client use-after-free
vulnerability - CVE-2019-5527

Description:

ESXi, Workstation, Fusion, VMRC and Horizon Client contain a use-after-free
vulnerability in the virtual sound device. VMware has evaluated the severity of
this issue to be in the Important severity range with a maximum CVSSv3 base
score of 8.5.

Known Attack Vectors:

A local attacker with non-administrative access on the guest machine may
exploit this issue to execute code on the host.

Resolution:

To remediate CVE-2019-5527, update/upgrade to the versions listed in the 'Fixed
Version' column of the 'Resolution Matrix' found below.

Workarounds:

None.

Additional Documentations:

None.

Notes:

This issue can only be exploited if a valid sound back-end is not connected.

Acknowledgements:

VMware would like to thank Will Dormann of the CERT/CC and wenqunwang from 360
Codesafe Team of Legendsec for independently reporting this issue to us.

Response Matrix:

+------------------------------------------------------------------------------------------------------+
|Product    |Version|Running|CVE          |CVSSV3|Severity |Fixed Version       |Workarounds|Additional|
|           |       |On     |Identifier   |      |         |                    |           |Documents |
|-----------+-------+-------+-------------+------+---------+--------------------+-----------+----------|
|ESXi       |6.7    |Any    |CVE-2019-5527|8.5   |Important|ESXi670-201904101-SG|None       |None      |
|-----------+-------+-------+-------------+------+---------+--------------------+-----------+----------|
|ESXi       |6.5    |Any    |CVE-2019-5527|8.5   |Important|ESXi650-201903401-SG|None       |None      |
|-----------+-------+-------+-------------+------+---------+--------------------+-----------+----------|
|ESXi       |6.0    |Any    |CVE-2019-5527|8.5   |Important|ESXi600-201909101-SG|None       |None      |
|-----------+-------+-------+-------------+------+---------+--------------------+-----------+----------|
|Workstation|15.x   |Any    |CVE-2019-5527|8.5   |Important|15.5.0              |None       |None      |
|-----------+-------+-------+-------------+------+---------+--------------------+-----------+----------|
|Fusion     |11.x   |OS X   |CVE-2019-5527|8.5   |Important|11.5.0              |None       |None      |
|-----------+-------+-------+-------------+------+---------+--------------------+-----------+----------|
|VMRC for   |10.x   |Windows|CVE-2019-5527|8.5   |Important|10.0.5 and Later    |None       |None      |
|Windows    |       |       |             |      |         |                    |           |          |
|-----------+-------+-------+-------------+------+---------+--------------------+-----------+----------|
|VMRC for   |10.x   |Linux  |CVE-2019-5527|8.5   |Important|10.0.5 and Later    |None       |None      |
|Linux      |       |       |             |      |         |                    |           |          |
|-----------+-------+-------+-------------+------+---------+--------------------+-----------+----------|
|Horizon    |5.x and|       |             |      |         |                    |           |          |
|Client for |prior  |Windows|CVE-2019-5527|8.0   |Important|5.2.0               |None       |None      |
|Windows    |       |       |             |      |         |                    |           |          |
|-----------+-------+-------+-------------+------+---------+--------------------+-----------+----------|
|Horizon    |5.x and|       |             |      |         |                    |           |          |
|Client for |prior  |Linux  |CVE-2019-5527|8.0   |Important|5.2.0               |None       |None      |
|Linux      |       |       |             |      |         |                    |           |          |
|-----------+-------+-------+-------------+------+---------+--------------------+-----------+----------|
|Horizon    |5.x and|       |             |      |         |                    |           |          |
|Client for |prior  |OS X   |CVE-2019-5527|8.0   |Important|5.2.0               |None       |None      |
|Mac        |       |       |             |      |         |                    |           |          |
+------------------------------------------------------------------------------------------------------+

3b. VMware Workstation and Fusion network denial-of-service vulnerability
- - CVE-2019-5535

Description:

VMware Workstation and Fusion contain a network denial-of-service vulnerability
due to improper handling of certain IPv6 packets. VMware has evaluated the
severity of this issue to be in the Moderate severity range with a maximum
CVSSv3 base score of 4.7.

Known Attack Vectors:

An attacker may exploit this issue by sending a specially crafted IPv6 packet
from a guest machine on the VMware NAT to disallow network access for all guest
machines using VMware NAT mode. This issue can be exploited only if IPv6 mode
for VMNAT is enabled.

Resolution:

To remediate CVE-2019-5535, update/upgrade to the versions listed in the 'Fixed
Version' column of the 'Resolution Matrix' found below.

Workarounds:

None.

Additional Documentations:

None.

Notes:
IPv6 mode for VMNAT is not enabled by default.

Acknowledgements:

VMware would like to thank Carlos Garcia Prado from FireEye for reporting this
issue to us.

Response Matrix:

+----------------------------------------------------------------------------------------+
|Product    |Version|Running|CVE          |CVSSV3|Severity|Fixed  |Workarounds|Additional|
|           |       |On     |Identifier   |      |        |Version|           |Documents |
|-----------+-------+-------+-------------+------+--------+-------+-----------+----------|
|Workstation|15.x   |Any    |CVE-2019-5535|4.7   |Moderate|15.5.0 |None       |None      |
|-----------+-------+-------+-------------+------+--------+-------+-----------+----------|
|Fusion     |11.x   |OS X   |CVE-2019-5535|4.7   |Moderate|11.5.0 |None       |None      |
+----------------------------------------------------------------------------------------+

4. References

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5527
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5535

Fixed Version(s) and Release Notes:

VMware ESXi 6.7 U2
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=742&downloadGroup=ESXI67U2
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/
vsphere-esxi-67u2-release-notes.html

VMware ESXi 6.5, Patch Release ESXi650-201903001 
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201903001.html

VMware ESXi 6.0, Patch Release ESXi600-201909001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201909001.html

VMware Workstation 15.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Fusion 11.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

VMware Remote Console 10.0.x
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VMRC1006&productId=742
https://docs.vmware.com/en/VMware-Remote-Console/10.0/rn/
VMware-Remote-Console-1006-Release-Notes.html

VMware Horizon Client 5.2.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/
vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html

5. Change log

2019-09-19: VMSA-2019-0014 Initial security advisory in conjunction with the
release of Workstation 15.5.0 and Fusion 11.5.0 on 2019-09-19.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXYghcmaOgq3Tt24GAQjD1BAAxMavi2GynK8dO9SuWUkM/CHPWXvZX2eg
bYeZHHe5C/bgfVjoC+4tQ+mApyq0IlVXne2QtZuDUzpOWWTFDM3L8Scs7GAwKJ2c
gXLrU2Chfl9EA664wMalhuSLoQITbNJgerzQ69iZrki+JGMnk2suqLMnNwNKuWTa
I84UJQffHNl5vpCOp04Ycj+p3wDwSMCrFhjFtgoQRxxlDsnObYlTxUOOWxAtgtDd
xkUOhKclmKqGSTT7XJmLNij8LeAJyza79+AaqzHxUGIPdrQnQzTTEADvaaG1dWzt
wG+pVEX7kFq16AivyxIFR/e14/ponxNtYrQJufTdwhMPsDtiCaO79NpyPdLaFYvn
aEjKeIvCy3iWqrSO6rebe84hW66IkU5hPwT5fdl8LzebUVtRtEZaV0yY11q4dJI2
pa1vwCOjmBBa+MzIRkHbnOv4ijv3Q0AU9FBalyAjVRY1fYl4z0QZdW2BDLP92kmu
qMheGixyDvXB0tDvp4rnzw9rs93RDdczJ21TzzsYw41YlTdxZ9ZmBwbKjjULdy4W
34FG6esiVytyyEx9yo6aAgJJmF35gYbXzCVqt5l3RYk2+Njy3ICgmY7Sf3MU3o+X
LB/SYNJUbHPAV91bHFnpR4XXKYaNrBzi10J0AUxNaBzZIvlsuH5JEfmOfWxMSW/v
4p1wwK4txCE=
=dxgW
-----END PGP SIGNATURE-----