{"id": "VMSA-2019-0023", "bulletinFamily": "unix", "title": "VMware Workstation and Horizon View Agent updates address a DLL-hijacking issue (CVE-2019-5539)", "description": "##### 1\\. Impacted Products\n\n * VMware Workstation Pro / Player (Workstation)\n * VMware Horizon View Agent (View Agent)\n\n##### 2\\. Introduction\n\n###### VMware Workstation and Horizon View Agent contain a DLL-hijacking issue. Patches are available to remediate this vulnerability in affected VMware products. \n\n\n###### \n\n##### 3\\. DLL hijacking vulnerability via Cortado Thinprint (CVE-2019-5539) \n\n\n**Description: \n**\n\nVMware Workstation and Horizon View Agent contain a DLL hijacking vulnerability due to insecure loading of a DLL by Cortado Thinprint. VMware has evaluated the severity of this issue to be in the [moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [6.3](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N>). \n\n\n**Known Attack Vectors:**\n\nSuccessful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to administrator on a Windows machine where Workstation or View Agent is installed. \n\n\n**Resolution:**\n\nTo remediate CVE-2019-5539, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. \n\n\n**Workarounds:**\n\nNone.\n\n**Additional Documentations:**\n\nNone.\n\n**Acknowledgements:**\n\nVMware would like to thank Peleg Hadar of SafeBreach Labs for reporting this issue to us. \n\n\n**Response Matrix:**\n", "published": "2019-12-20T00:00:00", "modified": "2019-12-20T00:00:00", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.vmware.com/security/advisories/VMSA-2019-0023.html", "reporter": "VMware", "references": [], "cvelist": ["CVE-2019-5539"], "type": "vmware", "lastseen": "2020-01-14T20:32:13", "edition": 5, "viewCount": 104, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-5539"]}, {"type": "symantec", "idList": ["SMNTC-111265"]}, {"type": "nessus", "idList": ["VMWARE_WORKSTATION_VMSA_2019_0023.NASL", "VMWARE_HORIZON_VIEW_AGENT_VMSA-2019-0023.NASL"]}], "modified": "2020-01-14T20:32:13", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-01-14T20:32:13", "rev": 2}, "vulnersScore": 5.4}, "affectedPackage": [], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T21:41:54", "description": "VMware Workstation (15.x prior to 15.5.1) and Horizon View Agent (7.10.x prior to 7.10.1 and 7.5.x prior to 7.5.4) contain a DLL hijacking vulnerability due to insecure loading of a DLL by Cortado Thinprint. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to administrator on a Windows machine where Workstation or View Agent is installed.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-23T20:15:00", "title": "CVE-2019-5539", "type": "cve", "cwe": ["CWE-426"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5539"], "modified": "2020-01-02T20:36:00", "cpe": [], "id": "CVE-2019-5539", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5539", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "symantec": [{"lastseen": "2019-12-23T20:22:39", "bulletinFamily": "software", "cvelist": ["CVE-2019-5539"], "description": "### Description\n\nMultiple VMware products are prone to a local privilege-escalation vulnerability. A local attacker can leverage this issue to gain administrator privileges on the machine. The following VMware products are affected: Workstation version 15.x is vulnerable Horizon View Agent version 7.x.x is vulnerable\n\n### Technologies Affected\n\n * VMWare Horizon View Agent 7.10.0 \n * VMWare Horizon View Agent 7.5.0 \n * VMWare Horizon View Agent 7.5.1 \n * VMWare Workstation 15.0 \n * VMWare Workstation 15.0.1 \n * VMWare Workstation 15.0.2 \n * VMWare Workstation 15.0.3 \n * VMWare Workstation 15.0.4 \n * VMWare Workstation 15.1.0 \n * VMWare Workstation 15.5.0 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-12-20T00:00:00", "published": "2019-12-20T00:00:00", "id": "SMNTC-111265", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111265", "type": "symantec", "title": "Multiple VMware Products CVE-2019-5539 DLL Loading Local Privilege Escalation Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2021-01-01T07:00:02", "description": "The VMware Horizon View Agent installed on the remote host is 7.x prior to 7.5.4, 7.10.1, or 7.11.0. It is, therefore,\naffected by a DLL hijacking vulnerability due to insecure loading of a DLL by Cortado Thinprint. An authenticated,\nlocal attacker with normal user privileges can exploit this to escalate their privileges to administrator on a Windows\nmachine where View Agent is installed.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 15, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-01-10T00:00:00", "title": "VMware Horizon View Agent 7.x < 7.5.4 / 7.10.1 / 7.11.0 Privilege Escalation (VMSA-2019-0023)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5539"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:horizon_view_agent"], "id": "VMWARE_HORIZON_VIEW_AGENT_VMSA-2019-0023.NASL", "href": "https://www.tenable.com/plugins/nessus/132753", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132753);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/13\");\n\n script_cve_id(\"CVE-2019-5539\");\n script_xref(name:\"VMSA\", value:\"2019-0023\");\n script_xref(name:\"IAVB\", value:\"2020-B-0001\");\n\n script_name(english:\"VMware Horizon View Agent 7.x < 7.5.4 / 7.10.1 / 7.11.0 Privilege Escalation (VMSA-2019-0023)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtual desktop agent installed that is affected by a privilege escalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The VMware Horizon View Agent installed on the remote host is 7.x prior to 7.5.4, 7.10.1, or 7.11.0. It is, therefore,\naffected by a DLL hijacking vulnerability due to insecure loading of a DLL by Cortado Thinprint. An authenticated,\nlocal attacker with normal user privileges can exploit this to escalate their privileges to administrator on a Windows\nmachine where View Agent is installed.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2019-0023.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Horizon View Agent 7.5.4, 7.10.1, 7.11.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5539\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:horizon_view_agent\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_view_agent_detect.nasl\");\n script_require_keys(\"installed_sw/VMware View Agent\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'VMware View Agent';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nconstraints = [\n { 'min_version': '7.0', 'fixed_version' : '7.5.4' },\n { 'min_version': '7.6', 'fixed_version' : '7.10.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T10:55:15", "description": "The version of VMware Workstation installed on the remote Windows host is 15.0.x prior to 15.5.1. It is, therefore,\naffected by a vulnerability. Note that Nessus has not tested for these issues but has instead relied only on the\napplication's self-reported version number.", "edition": 15, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-12-27T00:00:00", "title": "VMware Workstation 15.0.x < 15.5.1 Vulnerability (VMSA-2019-0023)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5539"], "modified": "2019-12-27T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_VMSA_2019_0023.NASL", "href": "https://www.tenable.com/plugins/nessus/132417", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132417);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\"CVE-2019-5539\");\n script_xref(name:\"VMSA\", value:\"2019-0023\");\n\n script_name(english:\"VMware Workstation 15.0.x < 15.5.1 Vulnerability (VMSA-2019-0023)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote Windows host is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote Windows host is 15.0.x prior to 15.5.1. It is, therefore,\naffected by a vulnerability. Note that Nessus has not tested for these issues but has instead relied only on the\napplication's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2019-0023.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to VMware Workstation version 15.5.1, or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5539\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Workstation\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\napp_info = vcf::get_app_info(app:'VMware Workstation', win_local:TRUE);\n\nconstraints = [\n { 'min_version' : '15.0', 'fixed_version' : '15.5.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}]}