Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4339
VMSA-2019-0020 VMware Security Advisories
15 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware ESXi
VMware Workstation
VMware Fusion
Publisher: VMware
Operating System: Virtualisation
Impact/Access: Access Privileged Data -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11135 CVE-2018-12207
Reference: ASB-2019.0322
ASB-2019.0313
ESB-2019.4286
ESB-2019.4274
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2019-0020.html
- --------------------------BEGIN INCLUDED TEXT--------------------
VMware Security Advisories
+--------+--------------------------------------------------------------------+
|Advisory|VMSA-2019-0020 |
|ID | |
+--------+--------------------------------------------------------------------+
|Advisory|Moderate |
|Severity| |
+--------+--------------------------------------------------------------------+
|CVSSv3 |6.5 |
|Range | |
+--------+--------------------------------------------------------------------+
| |VMware ESXi, Workstation, and Fusion patches provide |
|Synopsis|Hypervisor-Specific Mitigations for Denial-of-Service and |
| |Speculative-Execution Vulnerabilities (CVE-2018-12207, |
| |CVE-2019-11135) |
+--------+--------------------------------------------------------------------+
|Issue |2019-11-12 |
|Date | |
+--------+--------------------------------------------------------------------+
|Updated |2019-11-12 (Initial Advisory) |
|On | |
+--------+--------------------------------------------------------------------+
|CVE(s) |CVE-2018-12207, CVE-2019-11135 |
+--------+--------------------------------------------------------------------+
1. Impacted Products
o VMware ESXi
o VMware Workstation
o VMware Fusion
2. Introduction
Vulnerabilities have been disclosed which affect Intel processors:
o CVE-2018-12207 - Machine Check Error on Page Size Change (MCEPSC)
o CVE-2019-11135 - TSX Asynchronous Abort (TAA)
VMware Hypervisor patches are available which provide mitigation options for
both CVE-2018-12207 and CVE-2019-11135.
3a. Hypervisor-Specific Mitigations for Machine Check Error on Page Size Change
(MCEPSC) Denial-of-Service vulnerability (CVE-2018-12207)
Description:
VMware ESXi, Workstation, and Fusion patches include Hypervisor-Specific
Mitigations for Machine Check Error on Page Size Change (MCEPSC). VMware has
evaluated this issue to be in the Moderate severity range with a maximum CVSSv3
base score of 6.5.
Known Attack Vectors:
A malicious actor with local access to execute code in a virtual machine may be
able to trigger a purple diagnostic screen or immediate reboot of the
Hypervisor hosting the virtual machine, resulting in a denial-of-service
condition.
Resolution:
To mitigate CVE-2018-12207 please refer to the 'Response Matrix' below. First
apply all patches listed in the 'Fixed Version' column and then follow the
instructions found in the KB article in the 'Additional Documentation' column
for your respective product.
Workarounds:
None.
Additional Documentation:
Because the mitigations for CVE-2018-12207 may have a performance impact they
are not enabled by default. After applying all patches from the 'Fixed Version'
column below mitigation can be enabled by following the instructions found in
the KB article in the 'Additional Documentation' column for the product.
Performance impact data found in KB76050 should be reviewed prior to enabling
this mitigation.
Notes:
None.
Acknowledgements:
None.
Response Matrix:
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|Product |Version|Running|CVE Identifier|CVSSV3|Severity|Fixed Version |Workarounds|Additional|
| | |On | | | | | |Documents |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|ESXi |6.7 |Any |CVE-2018-12207|6.5 |Moderate|ESXi670-201911401-BG|None |KB59139 |
| | | | | | |ESXi670-201911402-BG| | |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|ESXi |6.5 |Any |CVE-2018-12207|6.5 |Moderate|ESXi650-201911401-BG|None |KB59139 |
| | | | | | |ESXi650-201911402-BG| | |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|ESXi |6.0 |Any |CVE-2018-12207|6.5 |Moderate|ESXi600-201911401-BG|None |KB59139 |
| | | | | | |ESXi600-201911402-BG| | |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|Workstation|15.x |Any |CVE-2018-12207|N/A |N/A |Unaffected |N/A |N/A |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|Fusion |11.x |Any |CVE-2018-12207|N/A |N/A |Unaffected |N/A |N/A |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
3b. Hypervisor-Specific Mitigations for TSX Asynchronous Abort (TAA)
Speculative-Execution vulnerability (CVE-2019-11135)
Description:
VMware ESXi, Workstation, and Fusion patches include Hypervisor-Specific
Mitigations for TSX Asynchronous Abort (TAA). VMware has evaluated this issue
to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors:
A malicious actor with local access to execute code in a virtual machine may be
able to infer data otherwise protected by architectural mechanisms from another
virtual machine or the hypervisor itself. This vulnerability is only applicable
to Hypervisors utilizing 2nd Generation Intel(R) Xeon(R) Scalable Processors
(formerly known as Cascade Lake) microarchitecture.
Resolution:
To mitigate CVE-2019-11135 apply all patches listed in the 'Fixed Version'
column found in the 'Response Matrix' below.
Workarounds:
None.
Additional Documentation:
None.
Notes:
None.
Acknowledgements:
None.
Response Matrix:
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|Product |Version|Running|CVE Identifier|CVSSV3|Severity|Fixed Version |Workarounds|Additional|
| | |On | | | | | |Documents |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|ESXi |6.7 |Any |CVE-2019-11135|6.5 |Moderate|ESXi670-201911401-BG|None |None |
| | | | | | |ESXi670-201911402-BG| | |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|ESXi |6.5 |Any |CVE-2019-11135|6.5 |Moderate|ESXi650-201911401-BG|None |None |
| | | | | | |ESXi650-201911402-BG| | |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|ESXi |6.0 |Any |CVE-2019-11135|6.5 |Moderate|ESXi600-201911401-BG|None |None |
| | | | | | |ESXi600-201911402-BG| | |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|Workstation|15.x |Any |CVE-2019-11135|6.5 |Moderate|15.5.1 |None |None |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
|Fusion |11.x |Any |CVE-2019-11135|6.5 |Moderate|11.5.1 |None |None |
+-----------+-------+-------+--------------+------+--------+--------------------+-----------+----------+
4. References
Fixed Version(s) and Release Notes:
ESXi 6.7 Patch Release ESXi670-201911001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-201911001.html
ESXi 6.5 Patch Release ESXi650-201911001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201911001.html
ESXi 6.0 Patch Release ESXi600-201911001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201911001.html
VMware Workstation 15.5.1
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Fusion 11.5.1
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
Additional Documentation:
https://kb.vmware.com/s/article/59139
FIRST CVSSv3 Calculator:
CVE-2018-12207 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/
PR:L/UI:N/S:C/C:N/I:N/A:H
CVE-2019-11135 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/
PR:L/UI:N/S:C/C:H/I:N/A:N
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135
5. Change log
2019-11-12: VMSA-2019-0020
Initial security advisory detailing Hypervisor-Specific Mitigations for
CVE-2018-12207 and CVE-2019-11135 in VMware ESXi, Workstation, and Fusion.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXc4s6GaOgq3Tt24GAQjMNw/9FzP++D/IT2c+I9WKT9Iu4DBAdKkYkI6B
4kHMHfKes0QEkjyOT6WdZpeQVmCWt5035AoSBWze8ZGpyQ7NMDCuicNx+JnVNBDz
GheGI8TQD+5VvlC9l+WN4zBctcekaFaqkOwWCw+jDNmGBosA9bY1I3B0uogwGiIY
PaqpN0PJzs1gdSDChjcfPw10T+XBT4I4Qe9RYZdww18Dy7CWJj7NTdfHiHs3SUgZ
rHModSFYWBUb2iU8EaiP3INw2SlajbSVTzHe2IijLGfGnG8jNsFSiJDv9CFeCFYY
re3KFm007Hu4jUUw/s3eevh+4OqRFzXjWqN4jUBqf7N7h9KY29OyVHJnW2xmqN+s
Bhp1HgSBbxcnr4DhG8N3twiTnOS5HJF/lqc7Psm6zcrrPKWZmWTuZJ73ozy0EmYp
2iJG4wG1Xv0GOoTNj6JhQS4XgRLT6HbGWeet/PWoFCbagUbTE8gOxsRPabbVVbwZ
WwtgqZk8prrOTlKNX5jkIrptdc1GAgW8oN1NFGLPE/8pgxIMd8C44pBXd5f3ujf8
5LGxoPe6M1Y7Pm5WeKVq/VGUyuxBF2Kqy9q4axXLo11YpQUW4PAGCrOgHa0FlYxK
L+lvrTc1yayHtocQDV5RpCyI5S7rE0EQg0Qjd1M4rLnuQMeHulVJ1iw58YNwoI3P
CKbYfFnzn8I=
=ADmj
-----END PGP SIGNATURE-----