-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4340
                 VMSA-2019-0021 VMware Security Advisories
                             15 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware Workstation
                   VMware Fusion
Publisher:         VMware
Operating System:  Virtualisation
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
                   Access Confidential Data        -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-5542 CVE-2019-5541 CVE-2019-5540

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2019-0021.html

- --------------------------BEGIN INCLUDED TEXT--------------------

VMware Security Advisories

+----------+------------------------------------------------------------------+
|Advisory  |VMSA-2019-0021                                                    |
|ID        |                                                                  |
+----------+------------------------------------------------------------------+
|Advisory  |Important                                                         |
|Severity  |                                                                  |
+----------+------------------------------------------------------------------+
|CVSSv3    |5.0-8.7                                                           |
|Range     |                                                                  |
+----------+------------------------------------------------------------------+
|Synopsis  |VMware Workstation and Fusion updates address multiple security   |
|          |vulnerabilities (CVE-2019-5540, CVE-2019-5541, CVE-2019-5542)     |
+----------+------------------------------------------------------------------+
|Issue Date|2019-11-12                                                        |
+----------+------------------------------------------------------------------+
|Updated On|2019-11-12 (Initial Advisory)                                     |
+----------+------------------------------------------------------------------+
|CVE(s)    |CVE-2019-5540, CVE-2019-5541, CVE-2019-5542                       |
+----------+------------------------------------------------------------------+

1. Impacted Products

  o VMware Workstation Pro / Player (Workstation)
  o VMware Fusion Pro / Fusion (Fusion)

2. Introduction

VMware Workstation and Fusion contain multiple security
vulnerabilities. Patches and workarounds are available to remediate these
vulnerabilities in affected VMware products.

 

3a. VMware Workstation and Fusion out-of-bounds write vulnerability in
e1000e virtual network adapter (CVE-2019-5541)

Description:

VMware Workstation and Fusion contain an out-of-bounds write vulnerability in
the e1000e virtual network adapter. VMware has evaluated the severity of this
issue to be in the Important severity range with a maximum CVSSv3 base score of
8.7.

 

Known Attack Vectors:

Successful exploitation of this issue may lead to code execution on the host
from the guest or may allow attackers to create a denial-of-service condition
on their own VM.

 

Resolution:

To remediate CVE-2019-5541, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank instructor working with Trend Micro's Zero Day
Initiative for reporting this issue to us.

 

Resolution Matrix:

+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Product    |Version|Running|CVE          |CVSSV3|Severity |Fixed  |Workarounds|Additional|
|           |       |On     |Identifier   |      |         |Version|           |Documents |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Workstation|15.x   |Any    |CVE-2019-5541|8.7   |Important|15.5.1 |None       |None      |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Fusion     |11.x   |OSX    |CVE-2019-5541|8.7   |Important|11.5.1 |None       |None      |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+

3b. VMware Workstation and Fusion vmnetdhcp information disclosure
vulnerability (CVE-2019-5540)

Description:

Workstation and Fusion contain an information disclosure vulnerability in
vmnetdhcp. VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of 7.7.

 

Known Attack Vectors:

Successful exploitation of this issue may allow an attacker on a guest VM to
disclose sensitive information by leaking memory from the host process.

 

Resolution:

To remediate CVE-2019-5540, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank S4nnyb0y for reporting this issue to us.

 

Resolution Matrix:

+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Product    |Version|Running|CVE          |CVSSV3|Severity |Fixed  |Workarounds|Additional|
|           |       |On     |Identifier   |      |         |Version|           |Documents |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Workstation|15.x   |Any    |CVE-2019-5540|7.7   |Important|15.5.1 |None       |None      |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+
|Fusion     |11.x   |OSX    |CVE-2019-5540|7.7   |Important|11.5.1 |None       |None      |
+-----------+-------+-------+-------------+------+---------+-------+-----------+----------+

3c. VMware Workstation and Fusion denial-of-service vulnerability
(CVE-2019-5542)

Description:

VMware Workstation and Fusion contain a denial-of-service vulnerability in
the RPC handler. VMware has evaluated the severity of this issue to be in the
Moderate severity range with a maximum CVSSv3 base score of 5.0.

 

Known Attack Vectors:

Successful exploitation of this issue may allow attackers with normal user
privileges to create a denial-of-service condition on their own VM.

 

Resolution:

To remediate CVE-2019-5542, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Jinwei Chen of Bangcle Security for reporting this
issue to us.

 

Resolution Matrix:

+-----------+-------+-------+-------------+------+--------+-------+-----------+----------+
|Product    |Version|Running|CVE          |CVSSV3|Severity|Fixed  |Workarounds|Additional|
|           |       |On     |Identifier   |      |        |Version|           |Documents |
+-----------+-------+-------+-------------+------+--------+-------+-----------+----------+
|Workstation|15.x   |Any    |CVE-2019-5542| 5.0  |Moderate|15.5.1 |None       |None      |
+-----------+-------+-------+-------------+------+--------+-------+-----------+----------+
|Fusion     |11.x   |OSX    |CVE-2019-5542| 5.0  |Moderate|11.5.1 |None       |None      |
+-----------+-------+-------+-------------+------+--------+-------+-----------+----------+

4. References

 

Fixed Version(s) and Release Notes:

 

VMware Workstation Pro 15.5.1

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation

https://docs.vmware.com/en/VMware-Workstation-Pro/index.html


VMware Workstation Player 15.5.1

Downloads and Documentation:

https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

 

VMware Fusion 11.5.1
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5542

 

FIRST CVSSv3 Calculator CVE-2019-5540:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/
I:N/A:N

 

FIRST CVSSv3 Calculator CVE-2019-5541:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/
I:H/A:H

 

FIRST CVSSv3 Calculator CVE-2019-5542:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/
I:N/A:L

 

5. Change log
 

2019-11-12: VMSA-2019-0021 

Initial security advisory in conjunction with the release of Workstation 15.5.1
and Fusion 11.5.1

6. Contact


E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXc43YmaOgq3Tt24GAQgDLhAAoxREIYbjeSuYdfHu/Q0GGl1FizhPaUhj
JR6u/UCdQa72Uc3nkFTDxKERRxkdGXMQNYbufZZMIsbDErawh5fSNr7GqockYh0q
bXb/CMpuif2JXpo1xXmucNii84ern8TmfnGSKZIRuI746oevoN7KjshPXxYkXPt4
C3dN1cssP+rICrYj5wpd23sG0K+CeHTOJiCk4hSNHhODhmgTbpXzavap+fBZj4+U
PQDXVYoJAS0mJMkeiUjPh8IyXLVZWHIUwfaumxsSn1dRFDZR0jhLt9FsVQhRnE7V
gfz3vSoKJ6cVc8YsiMWUmM95oM3syOqN2L2jkV0xZOj9CqHY3BHnOCWP9FuwBef5
6MtAztsZ2ntWu/hfUZ4sIjo9a+I1zuQoqAD0lLzsjdVf9WkUi3BYP0QpqqKtjL2r
PRMgAQHCtEnvw3E7kVhwuYG6pxdPR1B5+87jVY9U/cx+12nfHak3ToMikOfslnJO
wDBEl/8kdhOVCd5Rk1yiwtZX1nVm2g2b6HSB3pyeXy2shyoUcSEMvwpyXNJeDGj0
0YaWEFYBVMqGqr346PKlpMZfa+yZZGT2BZ07433APOzlz8RcuG8jR7Cn0EHd7KTG
GNPuUg8Fq7iQP4G6o94AKQIlyXRF4glBvcDDsOfmQ8yCsdZt+5KKodrvxn0YLIk5
CW63b0tBUvU=
=Ibav
-----END PGP SIGNATURE-----