Piotr Bania of Cisco Talos discovered this vulnerability.

Some AMD Radeon cards contain a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details AMD ATI Radeon ATIDXX64.DLL shader functionality remote code execution vulnerability (TALOS-2019-0818/CVE-2019-5049)

An exploitable memory corruption vulnerability exists in AMD ATIDXX64.DLL driver, versions 25.20.15031.5004 and 25.20.15031.9002. A specially crafted pixel shader can cause an out-of-bounds memory write. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from within a VMware guest, potentially allowing code execution on the associated VMware host.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that this vulnerability affects AMD ATIDXX64.DLL, versions 25.20.15031.5004 and 25.20.15031.9002, while running on the Radeon RX 550/550 Series. This vulnerability can only be exploited when VMware Workstation 15 version, 15.0.4,build-12990004 with Windows 10 x64 as the guestVM is running.


Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 49978, 49979