#VU21242 Input validation error in VMware Workstation and VMware Fusion - CVE-2019-5535

Vulnerability identifier: #VU21242

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-5535

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
VMware Workstation
Client/Desktop applications / Virtualization software
VMware Fusion
Client/Desktop applications / Virtualization software

Vendor: VMware, Inc

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of IPV6 network traffic. A local user on guest OS can send specially crafted IPV6 packets  and disallow network connectivity for all guest machines using VMware NAT mode.

Successful exploitation of this vulnerability requires that VMNAT is enabled.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

VMware Workstation: 15.0.0 - 15.1.0

VMware Fusion: 11.0.0 - 11.1.1

---

External links
https://www.vmware.com/security/advisories/VMSA-2019-0014.html

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.