Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4578.2
VMware ESXi and Horizon DaaS updates address OpenSLP remote
code execution vulnerability
11 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ESXi
Horizon DaaS
Publisher: VMWare
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Virtualisation
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-5544
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2019-0022.html
Revision History: May 11 2020: Vendor released VMSA-2019-0022.1
December 6 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
VMware Security Advisories
+-----------+-----------------------------------------------------------------+
|Advisory ID|VMSA-2019-0022.1 |
+-----------+-----------------------------------------------------------------+
|Advisory |Critical |
|Severity | |
+-----------+-----------------------------------------------------------------+
|CVSSv3 |9.8 |
|Range | |
+-----------+-----------------------------------------------------------------+
|Synopsis |VMware ESXi and Horizon DaaS updates address OpenSLP remote code |
| |execution vulnerability (CVE-2019-5544) |
+-----------+-----------------------------------------------------------------+
|Issue Date |2019-12-05 |
+-----------+-----------------------------------------------------------------+
|Updated On |2020-05-08 |
+-----------+-----------------------------------------------------------------+
|CVE(s) |CVE-2019-5544 |
+-----------+-----------------------------------------------------------------+
1. Impacted Products
o VMware ESXi
o VMware Horizon DaaS
2. Introduction
A vulnerability in OpenSLP was privately reported to VMware. Patches and
workarounds are available to address this vulnerability in affected VMware
products.
3. VMware ESXi and Horizon DaaS updates address OpenSLP remote code execution
vulnerability (CVE-2019-5544)
Description:
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite
issue. VMware has evaluated the severity of this issue to be in the Critical
severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors:
A malicious actor with network access to port 427 on an ESXi host or on any
Horizon DaaS management appliance may be able to overwrite the heap of the
OpenSLP service resulting in remote code execution.
Resolution:
To remediate CVE-2019-5544 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' below.
Workarounds:
Workarounds for CVE-2019-5544 have been documented in the VMware Knowledge Base
articles listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation:
None.
Notes:
None.
Acknowledgements:
VMware would like to thank the 360Vulcan team working with the 2019 Tianfu Cup
Pwn Contest for reporting this issue to us.
Response Matrix:
+-------+-------+---------+-------------+------+--------+-----------------+-----------+----------+
|Product|Version|Running |CVE |CVSSV3|Severity|Fixed Version |Workarounds|Additional|
| | |On |Identifier | | | | |Documents |
+-------+-------+---------+-------------+------+--------+-----------------+-----------+----------+
|ESXi |6.7 |Any |CVE-2019-5544|9.8 |Critical|ESXi670-201912001|KB76372 |None |
+-------+-------+---------+-------------+------+--------+-----------------+-----------+----------+
|ESXi |6.5 |Any |CVE-2019-5544|9.8 |Critical|ESXi650-201912001|KB76372 |None |
+-------+-------+---------+-------------+------+--------+-----------------+-----------+----------+
|ESXi |6.0 |Any |CVE-2019-5544|9.8 |Critical|ESXi600-201912001|KB76372 |None |
+-------+-------+---------+-------------+------+--------+-----------------+-----------+----------+
|Horizon|8.x |Virtual |CVE-2019-5544|9.8 |Critical|9.0.0.0 |KB76411 |None |
|DaaS | |Appliance| | | | | | |
+-------+-------+---------+-------------+------+--------+-----------------+-----------+----------+
4. References
Fixed Version(s) and Release Notes:
ESXi 6.7 Patch Release ESXi670-201912001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-201912001.html
ESXi 6.5 Patch Release ESXi650-201912001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201912001.html
ESXi 6.0 Patch Release ESXi600-201912001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201912001.html
Horizon DaaS 9.0.0.0
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON_DAAS_900&
productId=743
https://docs.vmware.com/en/VMware-Horizon-DaaS/services/rn/
Horizon-DaaS-900-Release-Notes.html
Workarounds:
https://kb.vmware.com/s/article/76372
https://kb.vmware.com/s/article/76411
FIRST CVSSv3 Calculator:
CVE-2019-5544 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:H/A:H
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5544
5. Change log
2019-12-05: VMSA-2019-0022
Initial security advisory in conjunction with the release of ESXi patches on
2019-12-05.
2020-05-08: VMSA-2019-0022.1
Updated advisory after release of Horizon DaaS 9.0.0.0 on 2020-05-07.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXriwPmaOgq3Tt24GAQjfyQ//Rz7dJUbOo1x4u3KSDQu0XMRW+6NhUgEm
TuuIIRgQiPUObDnkh59x220DBUzaMUTgTcKBCN37flxIeHwfXwbLa949MIvW1A1g
XjGmcLQkQQCiI80ynmG3HOGQzEJz42Fmf2PYypO0zp1NY73CWRY2nY0vgr46x7fP
ZG7pynX/12q2KwCyoBdI3QMDlos0QSdBl5GsEmX+ysqhuHLz96Ymm8FfRF8PI8lV
YwwPEEwjOSOL3k0to/+xwNLDZkWN/sPhChFlV2R/T8zdmgDXp63SyGDlngalnf8/
A3WPkDc5rqw5obYIcs/bf5Z3xnX1GaLGymUO1Yr/h8XgYrcmxNKxmy6SQ8S0ZkWn
s56dS+9t8Xb3xMp4lU55AdRUVrkvjmWis1GirM4BqTvtTO9+oY7m7sRqiQrRSMka
Idc9lrH/1/7hYMDkt/1Liyx852AZ5UM6TKi+HqliJDHFVqXxiDQYr1f4GzOAi/y7
4nKpxLYbmwEmy68vYt1eODkZEiO1gO58wlOk6hdzfJ6/vAG7vK3fqU1xgvXZmv7P
8ZQi8oJVvNs9h8VKJGnFBOPvivfGpdwa8VNV3cO0rkgFbw9WO99ekxySkequmRwh
lEPME3N5RHAAgCz4xnNLN4ZSBX+P4tMFkojLcW8mPzhQZZVDhk94NYcppT/2qYKP
V6K40xJ65/w=
=zygi
-----END PGP SIGNATURE-----