VMware Workstation (15.x prior to 15.5.1) and Horizon View Agent (7.10.x prior to 7.10.1 and 7.5.x prior to 7.5.4) contain a DLL hijacking vulnerability due to insecure loading of a DLL by Cortado Thinprint. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to administrator on a Windows machine where Workstation or View Agent is installed.
{"nessus": [{"lastseen": "2021-09-01T00:24:06", "description": "The version of VMware Workstation installed on the remote Windows host is 15.0.x prior to 15.5.1. It is, therefore, affected by a vulnerability. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-12-27T00:00:00", "type": "nessus", "title": "VMware Workstation 15.0.x < 15.5.1 Vulnerability (VMSA-2019-0023)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-5539"], "modified": "2020-09-21T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_VMSA_2019_0023.NASL", "href": "https://www.tenable.com/plugins/nessus/132417", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132417);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\"CVE-2019-5539\");\n script_xref(name:\"VMSA\", value:\"2019-0023\");\n\n script_name(english:\"VMware Workstation 15.0.x < 15.5.1 Vulnerability (VMSA-2019-0023)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote Windows host is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote Windows host is 15.0.x prior to 15.5.1. It is, therefore,\naffected by a vulnerability. Note that Nessus has not tested for these issues but has instead relied only on the\napplication's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2019-0023.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to VMware Workstation version 15.5.1, or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5539\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Workstation\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\napp_info = vcf::get_app_info(app:'VMware Workstation', win_local:TRUE);\n\nconstraints = [\n { 'min_version' : '15.0', 'fixed_version' : '15.5.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-01T00:22:49", "description": "The VMware Horizon View Agent installed on the remote host is 7.x prior to 7.5.4, 7.10.1, or 7.11.0. It is, therefore, affected by a DLL hijacking vulnerability due to insecure loading of a DLL by Cortado Thinprint. An authenticated, local attacker with normal user privileges can exploit this to escalate their privileges to administrator on a Windows machine where View Agent is installed.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-01-10T00:00:00", "type": "nessus", "title": "VMware Horizon View Agent 7.x < 7.5.4 / 7.10.1 / 7.11.0 Privilege Escalation (VMSA-2019-0023)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-5539"], "modified": "2020-01-13T00:00:00", "cpe": ["cpe:/a:vmware:horizon_view_agent"], "id": "VMWARE_HORIZON_VIEW_AGENT_VMSA-2019-0023.NASL", "href": "https://www.tenable.com/plugins/nessus/132753", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132753);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/13\");\n\n script_cve_id(\"CVE-2019-5539\");\n script_xref(name:\"VMSA\", value:\"2019-0023\");\n script_xref(name:\"IAVB\", value:\"2020-B-0001\");\n\n script_name(english:\"VMware Horizon View Agent 7.x < 7.5.4 / 7.10.1 / 7.11.0 Privilege Escalation (VMSA-2019-0023)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtual desktop agent installed that is affected by a privilege escalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The VMware Horizon View Agent installed on the remote host is 7.x prior to 7.5.4, 7.10.1, or 7.11.0. It is, therefore,\naffected by a DLL hijacking vulnerability due to insecure loading of a DLL by Cortado Thinprint. An authenticated,\nlocal attacker with normal user privileges can exploit this to escalate their privileges to administrator on a Windows\nmachine where View Agent is installed.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2019-0023.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Horizon View Agent 7.5.4, 7.10.1, 7.11.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5539\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:horizon_view_agent\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_view_agent_detect.nasl\");\n script_require_keys(\"installed_sw/VMware View Agent\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'VMware View Agent';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nconstraints = [\n { 'min_version': '7.0', 'fixed_version' : '7.5.4' },\n { 'min_version': '7.6', 'fixed_version' : '7.10.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2021-06-08T19:15:25", "bulletinFamily": "software", "cvelist": ["CVE-2019-5539"], "description": "### Description\n\nMultiple VMware products are prone to a local privilege-escalation vulnerability. A local attacker can leverage this issue to gain administrator privileges on the machine. The following VMware products are affected: Workstation version 15.x is vulnerable Horizon View Agent version 7.x.x is vulnerable\n\n### Technologies Affected\n\n * VMWare Horizon View Agent 7.10.0 \n * VMWare Horizon View Agent 7.5.0 \n * VMWare Horizon View Agent 7.5.1 \n * VMWare Workstation 15.0 \n * VMWare Workstation 15.0.1 \n * VMWare Workstation 15.0.2 \n * VMWare Workstation 15.0.3 \n * VMWare Workstation 15.0.4 \n * VMWare Workstation 15.1.0 \n * VMWare Workstation 15.5.0 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "modified": "2019-12-20T00:00:00", "id": "SMNTC-111265", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111265", "published": "2019-12-20T00:00:00", "type": "symantec", "title": "Multiple VMware Products CVE-2019-5539 DLL Loading Local Privilege Escalation Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "vmware": [{"lastseen": "2022-06-19T20:01:56", "description": "3\\. DLL hijacking vulnerability via Cortado Thinprint (CVE-2019-5539) \n\nVMware Workstation and Horizon View Agent contain a DLL hijacking vulnerability due to insecure loading of a DLL by Cortado Thinprint. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.3.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-20T00:00:00", "type": "vmware", "title": "VMware Workstation and Horizon View Agent updates address a DLL-hijacking issue (CVE-2019-5539)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5539"], "modified": "2019-12-20T00:00:00", "id": "VMSA-2019-0023", "href": "https://www.vmware.com/security/advisories/VMSA-2019-0023.html", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}]}
CVE-2019-5539
