Piotr Bania of Cisco Talos discovered these vulnerabilities.
Executive summary VMware ESXi, Workstation and Fusion are affected by an out-of-bounds write vulnerability that can be triggered using a specially crafted shader file. This vulnerability can be triggered from a VMware guest, affecting the VMware host, leading to a crash (denial-of-service) of the vmware-vmx.exe process on the host (TALOS-2019-0757).
However, when the host/guest systems are using an NVIDIA graphics card, the VMware denial-of-service can be turned into a code execution vulnerability (leading to a VM escape), because of an
additional security issue present in NVIDIA's Windows GPU Display Driver (TALOS-2019-0779).
Moreover, two out-of-bounds write vulnerabilities that could lead to arbitrary code execution have been found on NVIDIA Windows GPU Display Driver (TALOS-2019-0812, TALOS-2019-0813). These can be triggered by a specially crafted shader file.
In accordance with our coordinated disclosure policy, Cisco Talos worked with NVIDIA and VMware to ensure that these issues are resolved and that updates available for affected customers.
Vulnerability details VMware Workstation 15 pixel shader functionality denial of service vulnerability (TALOS-2019-0757/CVE-2019-5521)
An exploitable denial-of-service vulnerability exists in VMware Workstation 15. A specially crafted pixel shader can cause denial-of-service issues. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host, leading to vmware-vmx.exe process crash on host.
Read the complete vulnerability advisory here for additional information.
NVIDIA NVWGF2UMX_CFG.DLL shader functionality code execution vulnerability (TALOS-2019-0779/CVE-2019-5684)
An exploitable untrusted pointer dereference vulnerability exists in NVIDIA NVWGF2UMX_CFG driver, versions 24.21.14.1216 and 412.16. A specially crafted pixel shader can cause an untrusted pointer dereference, potentially resulting in code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, and will affect a VMware host.
Read the complete vulnerability advisory here for additional information.
NVIDIA NVWGF2UMX_CFG.DLL Shader functionality DCL_INDEXABLETEMP code execution vulnerability (TALOS-2019-0812/CVE-2019-5685)
An exploitable memory corruption vulnerability exists in NVIDIA NVWGF2UMX_CFG driver, versions 25.21.14.2531 and 425.31. A specially crafted pixel shader can cause an out-of-bounds memory write. An attacker could provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.
Read the complete vulnerability advisory here for additional information.
NVIDIA NVWGF2UMX_CFG.DLL Shader functionality DCL_INDEXABLETEMP code execution vulnerability (TALOS-2019-0813/CVE-2019-5685)
An exploitable memory corruption vulnerability exists in NVIDIA NVWGF2UMX_CFG driver, versions 25.21.14.2531 and 425.31. A specially crafted pixel shader can cause an untrusted pointer dereference. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.
Read the complete vulnerability advisory here for additional information.
Versions tested Talos tested and confirmed that TALOS-2019-0757 affects VMware Workstation 15 (15.0.2 build-10952284) with Windows 10 x64 as guestVM. The three other bugs affect NVWGF2UMX_CFG.DLL, version 25.21.14.2531; NVIDIA D3D10 driver, version 425.31 on NVIDIA Quadro K620 and VMware Workstation 15 (15.0.4 build-12990004) with Windows 10 x64 as guestVM.
Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 48852, 48853, 49894, 49895 - 49897, 49205, 49206