CVE-2019-5517 - Out-of-bounds Read

Severity

57%

Complexity

86%

Confidentiality

81%

VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-201903001), Workstation (15.x before 15.0.3 and 14.x before 14.1.6), Fusion (11.x before 11.0.3 and 10.x before 10.1.6) contain multiple out-of-bounds read vulnerabilities in the shader translator. Exploitation of these issues requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for these issues involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-201903001), Workstation (15.x before 15.0.3 and 14.x before 14.1.6), Fusion (11.x before 11.0.3 and 10.x before 10.1.6) contain multiple out-of-bounds read vulnerabilities in the shader translator. Exploitation of these issues requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for these issues involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

CVSS 3.0 Base Score 6.8. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H).

CVSS 2.0 Base Score 5.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P).

Demo Examples

Out-of-bounds Read

CWE-125

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method


               
}

                     
return value;// check that the array index is less than the maximum// length of the array

                           
value = array[index];// get the value at the specified index of the array
// if array index is invalid then output error message// and return value indicating error
value = -1;

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.


               
...// check that the array index is within the correct// range of values for the array

Overview

First reported 5 years ago

2019-04-15 18:29:00

Last updated 5 years ago

2019-04-16 17:44:00

Affected Software

VMware Fusion

VMWare VMWare

VMware Esxi 6.5

6.5

VMware ESXi 6.5 650-201701001

6.5

VMware ESXi 6.5 650-201703001

6.5

VMware ESXi 6.5 650-201703002

6.5

VMware ESXi 6.5 650-201704001

6.5

VMware ESXi 6.5 650-201707101

6.5

VMware ESXi 6.5 650-201707102

6.5

VMware ESXi 6.5 650-201707103

6.5

VMware ESXi 6.5 650-201707201

6.5

VMware ESXi 6.5 650-201707202

6.5

VMware ESXi 6.5 650-201707203

6.5

VMware ESXi 6.5 650-201707204

6.5

VMware ESXi 6.5 650-201707205

6.5

VMware ESXi 6.5 650-201707206

6.5

VMware ESXi 6.5 650-201707207

6.5

VMware ESXi 6.5 650-201707208

6.5

VMware ESXi 6.5 650-201707209

6.5

VMware ESXi 6.5 650-201707210

6.5

VMware ESXi 6.5 650-201707211

6.5

VMware ESXi 6.5 650-201707212

6.5

VMware ESXi 6.5 650-201707213

6.5

VMware ESXi 6.5 650-201707214

6.5

VMware ESXi 6.5 650-201707215

6.5

VMware ESXi 6.5 650-201707216

6.5

VMware ESXi 6.5 650-201707217

6.5

VMware ESXi 6.5 650-201707218

6.5

VMware ESXi 6.5 650-201707219

6.5

VMware ESXi 6.5 650-201707220

6.5

VMware ESXi 6.5 650-201707221

6.5

VMware ESXi 6.5 650-201710001

6.5

VMware ESXi 6.5 650-201712001

6.5

VMware ESXi 6.5 650-201803001

6.5

VMware ESXi 6.5 650-201806001

6.5

VMware ESXi 6.5 650-201808001

6.5

VMware ESXi 6.5 650-201810001

6.5

VMware ESXi 6.5 650-201810002

6.5

VMware ESXi 6.5 650-201811001

6.5

VMware ESXi 6.5 650-201811002

6.5

VMware ESXi 6.5 650-201811301

6.5

VMware ESXi 6.5 650-201901001

6.5

VMware Esxi 6.7

6.7

VMware ESXi 6.7 670-201806001

6.7

VMware ESXi 6.7 670-201807001

6.7

VMware ESXi 6.7 670-201808001

6.7

VMware ESXi 6.7 670-201810001

6.7

VMware ESXi 6.7 670-201810101

6.7

VMware ESXi 6.7 670-201810102

6.7

VMware ESXi 6.7 670-201810103

6.7

VMware ESXi 6.7 670-201810201

6.7

VMware ESXi 6.7 670-201810202

6.7

VMware ESXi 6.7 670-201810203

6.7

VMware ESXi 6.7 670-201810204

6.7

VMware ESXi 6.7 670-201810205

6.7

VMware ESXi 6.7 670-201810206

6.7

VMware ESXi 6.7 670-201810207

6.7

VMware ESXi 6.7 670-201810208

6.7

VMware ESXi 6.7 670-201810209

6.7

VMware ESXi 6.7 670-201810210

6.7

VMware ESXi 6.7 670-201810211

6.7

VMware ESXi 6.7 670-201810212

6.7

VMware ESXi 6.7 670-201810213

6.7

VMware ESXi 6.7 670-201810214

6.7

VMware ESXi 6.7 670-201810215

6.7

VMware ESXi 6.7 670-201810216

6.7

VMware ESXi 6.7 670-201810217

6.7

VMware ESXi 6.7 670-201810218

6.7

VMware ESXi 6.7 670-201810219

6.7

VMware ESXi 6.7 670-201810220

6.7

VMware ESXi 6.7 670-201810221

6.7

VMware ESXi 6.7 670-201810222

6.7

VMware ESXi 6.7 670-201810223

6.7

VMware ESXi 6.7 670-201810224

6.7

VMware ESXi 6.7 670-201810225

6.7

VMware ESXi 6.7 670-201810226

6.7

VMware ESXi 6.7 670-201810227

6.7

VMware ESXi 6.7 670-201810228

6.7

VMware ESXi 6.7 670-201810229

6.7

VMware ESXi 6.7 670-201810230

6.7

VMware ESXi 6.7 670-201810231

6.7

VMware ESXi 6.7 670-201810232

6.7

VMware ESXi 6.7 670-201810233

6.7

VMware ESXi 6.7 670-201810234

6.7

VMware ESXi 6.7 670-201811001

6.7

VMware ESXi 6.7 670-201901001

6.7

VMware ESXi 6.7 670-201901401

6.7

VMware ESXi 6.7 670-201901402

6.7

VMware ESXi 6.7 670-201901403

6.7

VMware ESXi 6.7 670-201904201

6.7

VMware ESXi 6.7 670-201904202

6.7

VMware ESXi 6.7 670-201904203

6.7

VMware ESXi 6.7 670-201904204

6.7

VMware ESXi 6.7 670-201904205

6.7

VMware ESXi 6.7 670-201904206

6.7

VMware ESXi 6.7 670-201904207

6.7

VMware ESXi 6.7 670-201904208

6.7

VMware ESXi 6.7 670-201904209

6.7

VMware ESXi 6.7 670-201904210

6.7

VMware ESXi 6.7 670-201904211

6.7

VMware ESXi 6.7 670-201904212

6.7

VMware ESXi 6.7 670-201904213

6.7

VMware ESXi 6.7 670-201904214

6.7

VMware ESXi 6.7 670-201904215

6.7

VMware ESXi 6.7 670-201904216

6.7

VMware ESXi 6.7 670-201904217

6.7

VMware ESXi 6.7 670-201904218

6.7

VMware ESXi 6.7 670-201904219

6.7

VMware ESXi 6.7 670-201904220

6.7

VMware ESXi 6.7 670-201904221

6.7

VMware ESXi 6.7 670-201904222

6.7

VMware ESXi 6.7 670-201904223

6.7

VMware ESXi 6.7 670-201904224

6.7

VMware ESXi 6.7 670-201904225

6.7

VMware ESXi 6.7 670-201904226

6.7

VMware ESXi 6.7 670-201904227

6.7

VMware ESXi 6.7 670-201904228

6.7

VMware ESXi 6.7 670-201904229

6.7

References

https://www.vmware.com/security/advisories/VMSA-2019-0006.html

Patch, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.