News

VMware has patched six vulnerabilities in its products

VMware has released two sets of patches for its software products. In total, VMware patched six vulnerabilities.

The first set of updates covers a number of serious vulnerabilities in the components of the vSphere cloud platform and the vCenter Server management system. The latter contains patches for several applications, including Workstation Pro, Horizon Client, and Remote Console.

The most serious vulnerability CVE-2019-5527, which received a score of 8.5 points on the CVSS scale, is associated with an error in the use of RAM after release. The bug is contained in the sound processing component of the following VMware products: ESXi cloud hypervisor versions 6.0, 6.5 and 6.7.

  1. Fusion Workstation Solution.
  2. Workstation Pro virtual client.
  3. Remote VMRC console version 10 for Windows and Linux.
  4. Horizon Client 5.x for Windows, Linux, and macOS.

Read also: Google has released an emergency update for Chrome

“Exploiting the vulnerability could allow a local attacker with a user level of access to the guest OS to execute their code on the host machine.”- say the developers.

The manufacturer also fixed two vulnerabilities leading to information disclosure in virtual machines deployed through OVF (Open Virtualization Format) objects. The drawback of CVE-2019-5532 is related to VMware vCenter Server version 6.0, 6.5, and 6.7.

“An attacker with access to the virtual machine properties log files can view the credentials specified during the installation of OVF – this is usually a user with root privileges”, – Ola Beyioku, an information security specialist, found out.

The cybercriminals use the vAppConfig property request for the same purpose. Rich Browne reported on vulnerability CVE-2019-5534 to the manufacturer from the company F5 Networks. Both errors were estimated by experts at 7.7 points of CVSS and were fixed in releases of the program 6.0 U3j, 6.5 U3 and 6.7 U3.

In addition, the vendor fixed an old bug detected in the BusyBox UNIX utility and affecting security of the ESXi hypervisor. The cloud system used a vulnerable component that incorrectly sanitized file names, which could entail the execution of third-party commands within the shell. An error with a hazard rating of 6.7 points is registered as CVE-2017-16544 and is fixed in the release of ESXi650-201907101-SG.

Less serious shortcomings associated with unauthorized disclosure of information to ESXi and vSphere components, as well as the triggering of DoS status in Workstation and Fusion products, were rated at 4.2 and 4.7 points, respectively. VMware fixed these errors in the next program updates.

This spring, the virtualization system developer fixed the vulnerabilities CVE-2019-5518 and CVE-2019-5519 identified during the Pwn2Own 2019 contest. VMware specialists fixed the problem of code execution at the host level, as well as unauthorized launch of JavaScript scripts within the guest machine.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button