Security Experts:

VMware Patches Vulnerabilities in Tools, Workstation

VMware announced on Thursday that it has patched two high-severity vulnerabilities in its Tools and Workstation software.

The first security hole, CVE-2019-5522, impacts VMware Tools 10.x on Windows and it has been described as an out-of-bounds read issue in the vm3dmp driver, which is installed in Windows guest machines.

“A local attacker with non-administrative access to a Windows guest with VMware Tools installed may be able to leak kernel information or create a denial of service attack on the same Windows guest machine,” VMware said in its advisory.

The flaw, reported to VMware by researchers ChenNan and RanchoIce of Tencent ZhanluLab, has been patched with the release of version 10.3.10. Workarounds are not available.

The second vulnerability, CVE-2019-5525, is a use-after-free bug affecting the Advanced Linux Sound Architecture (ALSA) backend in Workstation 15.x. VMware says the weakness could allow an attacker with normal user privileges on the guest machine to execute arbitrary code on the Linux host on which Workstation is installed. However, code execution can only be achieved if this flaw is combined with another vulnerability.

VMware Workstation 15.1.0 for Linux fixes the vulnerability. Brice L'helgouarc'h of Amossys has been credited for reporting the flaw to the vendor.

The vulnerabilities are “high severity” based on their CVSS score and VMware has rated them “important.”

Related: VMware Patches DoS, Information Disclosure Flaws in Graphics Components

Related: VMware Patches Flaws Disclosed at Pwn2Own 2019

Related: VMware Patches VM Escape Flaw Disclosed at Chinese Hacking Contest

Related: New VMware Firewall Focuses on Known Good Behavior

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.