VMWare Fusion APIs available without auth via web socket (CVE-2019-5514)

2019-04-01T00:00:00
ID AKB:AEFA1581-91E6-4BFD-963B-1F35A6CC494C
Type attackerkb
Reporter AttackerKB
Modified 2020-02-13T00:00:00

Description

VMware Fusion (11.x before 11.0.3) contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines.

Recent assessments:

jrobles-r7 at May 28, 2019 6:57pm UTC reported:

From the theevilbit write-up I can’t tell if arguments can be provided to the programs that are launched in the VMs. If arguments can be provided to the launched programs then this would be worse.

Assessed Attacker Value: 3
Assessed Attacker Value: 2busterb at May 28, 2019 6:44pm UTC reported:

From the theevilbit write-up I can’t tell if arguments can be provided to the programs that are launched in the VMs. If arguments can be provided to the launched programs then this would be worse.

Assessed Attacker Value: 4
Assessed Attacker Value: 1space-r7 at May 28, 2019 6:43pm UTC reported:

From the theevilbit write-up I can’t tell if arguments can be provided to the programs that are launched in the VMs. If arguments can be provided to the launched programs then this would be worse.

Assessed Attacker Value: 3