VMware pushed out security updates covering five vulnerabilities that if exploited could lead to information disclosure or a denial of service situation.
are CVE-2019-5540, CVE-2019-5541 and CVE-2019-5542 and impact VMware
Workstation Pro / Player and VMware Fusion Pro/Fusion.
covers an out-of-bounds write vulnerability in e1000e virtual network adapter
that could lead to lead to code execution on the host from the guest or may
allow attackers to create a denial-of-service condition on their own VM.
is an information disclosure vulnerability in vmnetdhcp that if abused could
allow an attacker on a guest VM to disclose sensitive information by leaking
memory from the host process.
refers to a denial-of-service vulnerability in the RPC handler giving attackers
with normal user privileges to create a denial-of-service condition on their
The two moderate
issues covered are CVE-2018-12207 and CVE-2019-11135 and effect VMware ESXi,
VMware Workstation and VMware Fusion.
The first vulnerability
is a machine check error on page size change where “A malicious actor with
local access to execute code in a virtual machine may be able to trigger a
purple diagnostic screen or immediate reboot of the Hypervisor hosting the
virtual machine, resulting in a denial-of-service condition,” VMware wrote.
security problem if exploited a malicious actor with local access to execute
code in a virtual machine may be able to infer data otherwise protected by
architectural mechanisms from another virtual machine or the hypervisor itself.
It is pointed out that this vulnerability is only applicable to Hypervisors
utilizing second Generation Intel Xeon Scalable Processors.
all the vulnerabilities are available. VMware did note that the patch for CVE-2018-12207
is not enabled by default upon download, due to a possible performance impact. So
admin staffers must follow the steps in the KB article in the ‘Additional
Documentation’ column for the product. Performance impact data found in KB76050
should be reviewed prior to enabling this mitigation.
The post VMware patches five security vulnerabilities appeared first on SC Media.