VMware ESXi (6.7 before ESXi670-201903001, 6.5 before ESXi650-201903001, 6.0 before ESXi600-201903001), Workstation (15.x before 15.0.4, 14.x before 14.1.7), Fusion (11.x before 11.0.3, 10.x before 10.1.6) contain a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). Exploitation of this issue requires an attacker to have access to a virtual machine with a virtual USB controller present. This issue may allow a guest to execute code on the host.
Weakness
The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fusion | Vmware | 10.0.0 (including) | 10.1.6 (excluding) |
| Fusion | Vmware | 11.0.0 (including) | 11.0.3 (excluding) |
| Workstation | Vmware | 14.0.0 (including) | 14.1.7 (excluding) |
| Workstation | Vmware | 15.0.0 (including) | 15.0.4 (excluding) |
| Esxi | Vmware | 6.0 (including) | 6.0 (including) |
| Esxi | Vmware | 6.0-600-201811001 (including) | 6.0-600-201811001 (including) |
| Esxi | Vmware | 6.0-600-201811401 (including) | 6.0-600-201811401 (including) |
| Esxi | Vmware | 6.5 (including) | 6.5 (including) |
| Esxi | Vmware | 6.5-650-201707101 (including) | 6.5-650-201707101 (including) |
| Esxi | Vmware | 6.5-650-201707102 (including) | 6.5-650-201707102 (including) |
| Esxi | Vmware | 6.5-650-201707103 (including) | 6.5-650-201707103 (including) |
| Esxi | Vmware | 6.5-650-201707201 (including) | 6.5-650-201707201 (including) |
| Esxi | Vmware | 6.5-650-201707202 (including) | 6.5-650-201707202 (including) |
| Esxi | Vmware | 6.5-650-201707203 (including) | 6.5-650-201707203 (including) |
| Esxi | Vmware | 6.5-650-201707204 (including) | 6.5-650-201707204 (including) |
| Esxi | Vmware | 6.5-650-201707205 (including) | 6.5-650-201707205 (including) |
| Esxi | Vmware | 6.5-650-201707206 (including) | 6.5-650-201707206 (including) |
| Esxi | Vmware | 6.5-650-201707207 (including) | 6.5-650-201707207 (including) |
| Esxi | Vmware | 6.5-650-201707208 (including) | 6.5-650-201707208 (including) |
| Esxi | Vmware | 6.5-650-201707209 (including) | 6.5-650-201707209 (including) |
| Esxi | Vmware | 6.5-650-201707210 (including) | 6.5-650-201707210 (including) |
| Esxi | Vmware | 6.5-650-201707211 (including) | 6.5-650-201707211 (including) |
| Esxi | Vmware | 6.5-650-201707212 (including) | 6.5-650-201707212 (including) |
| Esxi | Vmware | 6.5-650-201707213 (including) | 6.5-650-201707213 (including) |
| Esxi | Vmware | 6.5-650-201707214 (including) | 6.5-650-201707214 (including) |
| Esxi | Vmware | 6.5-650-201707215 (including) | 6.5-650-201707215 (including) |
| Esxi | Vmware | 6.5-650-201707216 (including) | 6.5-650-201707216 (including) |
| Esxi | Vmware | 6.5-650-201707217 (including) | 6.5-650-201707217 (including) |
| Esxi | Vmware | 6.5-650-201707218 (including) | 6.5-650-201707218 (including) |
| Esxi | Vmware | 6.5-650-201707219 (including) | 6.5-650-201707219 (including) |
| Esxi | Vmware | 6.5-650-201707220 (including) | 6.5-650-201707220 (including) |
| Esxi | Vmware | 6.5-650-201707221 (including) | 6.5-650-201707221 (including) |
| Esxi | Vmware | 6.5-650-201811001 (including) | 6.5-650-201811001 (including) |
| Esxi | Vmware | 6.5-650-201811301 (including) | 6.5-650-201811301 (including) |
| Esxi | Vmware | 6.7 (including) | 6.7 (including) |
| Esxi | Vmware | 6.7-670-201810101 (including) | 6.7-670-201810101 (including) |
| Esxi | Vmware | 6.7-670-201810102 (including) | 6.7-670-201810102 (including) |
| Esxi | Vmware | 6.7-670-201810103 (including) | 6.7-670-201810103 (including) |
| Esxi | Vmware | 6.7-670-201810201 (including) | 6.7-670-201810201 (including) |
| Esxi | Vmware | 6.7-670-201810202 (including) | 6.7-670-201810202 (including) |
| Esxi | Vmware | 6.7-670-201810203 (including) | 6.7-670-201810203 (including) |
| Esxi | Vmware | 6.7-670-201810204 (including) | 6.7-670-201810204 (including) |
| Esxi | Vmware | 6.7-670-201810205 (including) | 6.7-670-201810205 (including) |
| Esxi | Vmware | 6.7-670-201810206 (including) | 6.7-670-201810206 (including) |
| Esxi | Vmware | 6.7-670-201810207 (including) | 6.7-670-201810207 (including) |
| Esxi | Vmware | 6.7-670-201810208 (including) | 6.7-670-201810208 (including) |
| Esxi | Vmware | 6.7-670-201810209 (including) | 6.7-670-201810209 (including) |
| Esxi | Vmware | 6.7-670-201810210 (including) | 6.7-670-201810210 (including) |
| Esxi | Vmware | 6.7-670-201810211 (including) | 6.7-670-201810211 (including) |
| Esxi | Vmware | 6.7-670-201810212 (including) | 6.7-670-201810212 (including) |
| Esxi | Vmware | 6.7-670-201810213 (including) | 6.7-670-201810213 (including) |
| Esxi | Vmware | 6.7-670-201810214 (including) | 6.7-670-201810214 (including) |
| Esxi | Vmware | 6.7-670-201810215 (including) | 6.7-670-201810215 (including) |
| Esxi | Vmware | 6.7-670-201810216 (including) | 6.7-670-201810216 (including) |
| Esxi | Vmware | 6.7-670-201810217 (including) | 6.7-670-201810217 (including) |
| Esxi | Vmware | 6.7-670-201810218 (including) | 6.7-670-201810218 (including) |
| Esxi | Vmware | 6.7-670-201810219 (including) | 6.7-670-201810219 (including) |
| Esxi | Vmware | 6.7-670-201810220 (including) | 6.7-670-201810220 (including) |
| Esxi | Vmware | 6.7-670-201810221 (including) | 6.7-670-201810221 (including) |
| Esxi | Vmware | 6.7-670-201810222 (including) | 6.7-670-201810222 (including) |
| Esxi | Vmware | 6.7-670-201810223 (including) | 6.7-670-201810223 (including) |
| Esxi | Vmware | 6.7-670-201810224 (including) | 6.7-670-201810224 (including) |
| Esxi | Vmware | 6.7-670-201810225 (including) | 6.7-670-201810225 (including) |
| Esxi | Vmware | 6.7-670-201810226 (including) | 6.7-670-201810226 (including) |
| Esxi | Vmware | 6.7-670-201810227 (including) | 6.7-670-201810227 (including) |
| Esxi | Vmware | 6.7-670-201810228 (including) | 6.7-670-201810228 (including) |
| Esxi | Vmware | 6.7-670-201810229 (including) | 6.7-670-201810229 (including) |
| Esxi | Vmware | 6.7-670-201810230 (including) | 6.7-670-201810230 (including) |
| Esxi | Vmware | 6.7-670-201810231 (including) | 6.7-670-201810231 (including) |
| Esxi | Vmware | 6.7-670-201810232 (including) | 6.7-670-201810232 (including) |
| Esxi | Vmware | 6.7-670-201810233 (including) | 6.7-670-201810233 (including) |
| Esxi | Vmware | 6.7-670-201810234 (including) | 6.7-670-201810234 (including) |
| Esxi | Vmware | 6.7-670-201901401 (including) | 6.7-670-201901401 (including) |
| Esxi | Vmware | 6.7-670-201901402 (including) | 6.7-670-201901402 (including) |
| Esxi | Vmware | 6.7-670-201901403 (including) | 6.7-670-201901403 (including) |
Potential Mitigations
Related Attack Patterns
References
- http://packetstormsecurity.com/files/152290/VMware-Security-Advisory-2019-0005.html
- http://www.securityfocus.com/bid/107535
- http://www.securityfocus.com/bid/108443
- https://www.vmware.com/security/advisories/VMSA-2019-0005.html
- https://www.zerodayinitiative.com/advisories/ZDI-19-420/
- http://packetstormsecurity.com/files/152290/VMware-Security-Advisory-2019-0005.html
- http://www.securityfocus.com/bid/107535
- http://www.securityfocus.com/bid/108443
- https://www.vmware.com/security/advisories/VMSA-2019-0005.html
- https://www.zerodayinitiative.com/advisories/ZDI-19-420/