Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4339 VMSA-2019-0020 VMware Security Advisories 15 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi VMware Workstation VMware Fusion Publisher: VMware Operating System: Virtualisation Impact/Access: Access Privileged Data -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-11135 CVE-2018-12207 Reference: ASB-2019.0322 ASB-2019.0313 ESB-2019.4286 ESB-2019.4274 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2019-0020.html - --------------------------BEGIN INCLUDED TEXT-------------------- VMware Security Advisories +--------+--------------------------------------------------------------------+ |Advisory|VMSA-2019-0020 | |ID | | +--------+--------------------------------------------------------------------+ |Advisory|Moderate | |Severity| | +--------+--------------------------------------------------------------------+ |CVSSv3 |6.5 | |Range | | +--------+--------------------------------------------------------------------+ | |VMware ESXi, Workstation, and Fusion patches provide | |Synopsis|Hypervisor-Specific Mitigations for Denial-of-Service and | | |Speculative-Execution Vulnerabilities (CVE-2018-12207, | | |CVE-2019-11135) | +--------+--------------------------------------------------------------------+ |Issue |2019-11-12 | |Date | | +--------+--------------------------------------------------------------------+ |Updated |2019-11-12 (Initial Advisory) | |On | | +--------+--------------------------------------------------------------------+ |CVE(s) |CVE-2018-12207, CVE-2019-11135 | +--------+--------------------------------------------------------------------+ 1. Impacted Products o VMware ESXi o VMware Workstation o VMware Fusion 2. Introduction Vulnerabilities have been disclosed which affect Intel processors: o CVE-2018-12207 - Machine Check Error on Page Size Change (MCEPSC) o CVE-2019-11135 - TSX Asynchronous Abort (TAA) VMware Hypervisor patches are available which provide mitigation options for both CVE-2018-12207 and CVE-2019-11135. 3a. Hypervisor-Specific Mitigations for Machine Check Error on Page Size Change (MCEPSC) Denial-of-Service vulnerability (CVE-2018-12207) Description: VMware ESXi, Workstation, and Fusion patches include Hypervisor-Specific Mitigations for Machine Check Error on Page Size Change (MCEPSC). VMware has evaluated this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5. Known Attack Vectors: A malicious actor with local access to execute code in a virtual machine may be able to trigger a purple diagnostic screen or immediate reboot of the Hypervisor hosting the virtual machine, resulting in a denial-of-service condition. Resolution: To mitigate CVE-2018-12207 please refer to the 'Response Matrix' below. First apply all patches listed in the 'Fixed Version' column and then follow the instructions found in the KB article in the 'Additional Documentation' column for your respective product. Workarounds: None. Additional Documentation: Because the mitigations for CVE-2018-12207 may have a performance impact they are not enabled by default. After applying all patches from the 'Fixed Version' column below mitigation can be enabled by following the instructions found in the KB article in the 'Additional Documentation' column for the product. Performance impact data found in KB76050 should be reviewed prior to enabling this mitigation. Notes: None. Acknowledgements: None. Response Matrix: +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |Product |Version|Running|CVE Identifier|CVSSV3|Severity|Fixed Version |Workarounds|Additional| | | |On | | | | | |Documents | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |ESXi |6.7 |Any |CVE-2018-12207|6.5 |Moderate|ESXi670-201911401-BG|None |KB59139 | | | | | | | |ESXi670-201911402-BG| | | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |ESXi |6.5 |Any |CVE-2018-12207|6.5 |Moderate|ESXi650-201911401-BG|None |KB59139 | | | | | | | |ESXi650-201911402-BG| | | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |ESXi |6.0 |Any |CVE-2018-12207|6.5 |Moderate|ESXi600-201911401-BG|None |KB59139 | | | | | | | |ESXi600-201911402-BG| | | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |Workstation|15.x |Any |CVE-2018-12207|N/A |N/A |Unaffected |N/A |N/A | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |Fusion |11.x |Any |CVE-2018-12207|N/A |N/A |Unaffected |N/A |N/A | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ 3b. Hypervisor-Specific Mitigations for TSX Asynchronous Abort (TAA) Speculative-Execution vulnerability (CVE-2019-11135) Description: VMware ESXi, Workstation, and Fusion patches include Hypervisor-Specific Mitigations for TSX Asynchronous Abort (TAA). VMware has evaluated this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5. Known Attack Vectors: A malicious actor with local access to execute code in a virtual machine may be able to infer data otherwise protected by architectural mechanisms from another virtual machine or the hypervisor itself. This vulnerability is only applicable to Hypervisors utilizing 2nd Generation Intel(R) Xeon(R) Scalable Processors (formerly known as Cascade Lake) microarchitecture. Resolution: To mitigate CVE-2019-11135 apply all patches listed in the 'Fixed Version' column found in the 'Response Matrix' below. Workarounds: None. Additional Documentation: None. Notes: None. Acknowledgements: None. Response Matrix: +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |Product |Version|Running|CVE Identifier|CVSSV3|Severity|Fixed Version |Workarounds|Additional| | | |On | | | | | |Documents | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |ESXi |6.7 |Any |CVE-2019-11135|6.5 |Moderate|ESXi670-201911401-BG|None |None | | | | | | | |ESXi670-201911402-BG| | | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |ESXi |6.5 |Any |CVE-2019-11135|6.5 |Moderate|ESXi650-201911401-BG|None |None | | | | | | | |ESXi650-201911402-BG| | | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |ESXi |6.0 |Any |CVE-2019-11135|6.5 |Moderate|ESXi600-201911401-BG|None |None | | | | | | | |ESXi600-201911402-BG| | | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |Workstation|15.x |Any |CVE-2019-11135|6.5 |Moderate|15.5.1 |None |None | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ |Fusion |11.x |Any |CVE-2019-11135|6.5 |Moderate|11.5.1 |None |None | +-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+ 4. References Fixed Version(s) and Release Notes: ESXi 6.7 Patch Release ESXi670-201911001 https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-201911001.html ESXi 6.5 Patch Release ESXi650-201911001 https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201911001.html ESXi 6.0 Patch Release ESXi600-201911001 https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201911001.html VMware Workstation 15.5.1 https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Fusion 11.5.1 https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html Additional Documentation: https://kb.vmware.com/s/article/59139 FIRST CVSSv3 Calculator: CVE-2018-12207 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/ PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2019-11135 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/ PR:L/UI:N/S:C/C:H/I:N/A:N Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135 5. Change log 2019-11-12: VMSA-2019-0020 Initial security advisory detailing Hypervisor-Specific Mitigations for CVE-2018-12207 and CVE-2019-11135 in VMware ESXi, Workstation, and Fusion. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXc4s6GaOgq3Tt24GAQjMNw/9FzP++D/IT2c+I9WKT9Iu4DBAdKkYkI6B 4kHMHfKes0QEkjyOT6WdZpeQVmCWt5035AoSBWze8ZGpyQ7NMDCuicNx+JnVNBDz GheGI8TQD+5VvlC9l+WN4zBctcekaFaqkOwWCw+jDNmGBosA9bY1I3B0uogwGiIY PaqpN0PJzs1gdSDChjcfPw10T+XBT4I4Qe9RYZdww18Dy7CWJj7NTdfHiHs3SUgZ rHModSFYWBUb2iU8EaiP3INw2SlajbSVTzHe2IijLGfGnG8jNsFSiJDv9CFeCFYY re3KFm007Hu4jUUw/s3eevh+4OqRFzXjWqN4jUBqf7N7h9KY29OyVHJnW2xmqN+s Bhp1HgSBbxcnr4DhG8N3twiTnOS5HJF/lqc7Psm6zcrrPKWZmWTuZJ73ozy0EmYp 2iJG4wG1Xv0GOoTNj6JhQS4XgRLT6HbGWeet/PWoFCbagUbTE8gOxsRPabbVVbwZ WwtgqZk8prrOTlKNX5jkIrptdc1GAgW8oN1NFGLPE/8pgxIMd8C44pBXd5f3ujf8 5LGxoPe6M1Y7Pm5WeKVq/VGUyuxBF2Kqy9q4axXLo11YpQUW4PAGCrOgHa0FlYxK L+lvrTc1yayHtocQDV5RpCyI5S7rE0EQg0Qjd1M4rLnuQMeHulVJ1iw58YNwoI3P CKbYfFnzn8I= =ADmj -----END PGP SIGNATURE-----