CVE-2019-5183

2020-01-25T00:00:00
ID AKB:D1546F47-6385-4452-85B4-BCD67F93AF06
Type attackerkb
Reporter AttackerKB
Modified 2020-07-24T00:00:00

Description

An exploitable type confusion vulnerability exists in AMD ATIDXX64.DLL driver, versions 26.20.13031.10003, 26.20.13031.15006 and 26.20.13031.18002. A specially crafted pixel shader can cause a type confusion issue, leading to potential code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.

Recent assessments:

zeroSteiner at February 04, 2020 8:16pm UTC reported:

The attacker utility for this particular vulnerability is limited by the hardware dependency. Additionally the vulnerability as described in the original disclosure can not be used for privilege escalation, only VMWare escapes.

The vmware-vmx.exe process on the host OS runs as the user which started VMware which is why the vulnerability would not yield SYSTEM privileges on the host. At the time of this writing, the vmware-vmx.exe process does not utilize the new Control Flow Guard which would make it easier to overwrite an entry in the vtable with a function pointer, aiding in exploit development.

While a failed exploit attempt would not crash the host OS because the vulnerability is not kernel mode, the VMWare guest maybe affected and become unresponsive.

Assessed Attacker Value: 3
Assessed Attacker Value: 4bwatters-r7 at February 04, 2020 8:31pm UTC reported:

The attacker utility for this particular vulnerability is limited by the hardware dependency. Additionally the vulnerability as described in the original disclosure can not be used for privilege escalation, only VMWare escapes.

The vmware-vmx.exe process on the host OS runs as the user which started VMware which is why the vulnerability would not yield SYSTEM privileges on the host. At the time of this writing, the vmware-vmx.exe process does not utilize the new Control Flow Guard which would make it easier to overwrite an entry in the vtable with a function pointer, aiding in exploit development.

While a failed exploit attempt would not crash the host OS because the vulnerability is not kernel mode, the VMWare guest maybe affected and become unresponsive.

Assessed Attacker Value: 2
Assessed Attacker Value: 3