VMware ESXi, Workstation and Fusion updates address multiple security issues.

a. VMware ESXi, Workstation and Fusion UHCI out-of-bounds read/write and TOCTOU vulnerabilities

VMware ESXi, Workstation and Fusion contain an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). Exploitation of these issues requires an attacker to have access to a virtual machine with a virtual USB controller present. These issues may allow a guest to execute code on the host.

In ESXi, Workstation and Fusion, when a virtual USB 2.0 controller is added to a VM, a virtual USB 1.1 controller is also added by default. In Workstation and Fusion, when a virtual USB 3.0 controller is added to a VM, a virtual USB 1.1 controller is also added by default.

VMware would like to thank the Fluoroacetate team of Amat Cama and Richard Zhu, working with the Pwn2Own 2019 Security Contest, for reporting these issues to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2019-5518 (out-of-bounds read/write) and CVE-2019-5519 (TOCTOU) to these issues.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.