首页 > 安全研究 > 安全通报 > 安全通告

VMware Fusion本地安全限制绕过安全漏洞安全通告

发布时间 2019-04-03

漏洞编号和级别


CVE编号:CVE-2019-5514,危险级别:严重,CVSS分值:官方未评定


影响版本


VMWare Fusion 11.x < 11.0.3


漏洞概述


VMware Fusion是一套专用于在苹果机(Mac)上运行Windows应用程序的的虚拟机软件。

VMware Fusion 11.x < 11.0.3版本,由于通过网络套接字可以未经验证访问某些API,在实现中存在安全漏洞,攻击者利用此漏洞可在客户端上执行未授权操作。


漏洞验证


漏洞分析及POC:https://theevilbit.github.io/posts/vmware_fusion_11_guest_vm_rce_cve-2019-5514/。


修复建议


VMWare已经为此发布了安全公告以及相应补丁:

链接:https://www.vmware.com/security/advisories/VMSA-2019-0005.html


补丁下载:

ESXi 6.7

Downloads:  https://my.vmware.com/group/vmware/patch
Documentation: https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-201903001.html
ESXi 6.5 
Downloads: https://my.vmware.com/group/vmware/patch
Documentation: https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201903001.html
ESXi 6.0 
Downloads: https://my.vmware.com/group/vmware/patch
Documentation: https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201903001.html
VMware Workstation Pro 14.1.6, 14.1.7, 15.0.3, 15.0.4
Downloads and Documentation: 
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 14.1.6, 14.1.7, 15.0.3, 15.0.4
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion Pro / Fusion 10.1.6, 11.0.3

Downloads and Documentation:

https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html


参考链接


https://www.vmware.com/security/advisories/VMSA-2019-0005.html
https://theevilbit.github.io/posts/vmware_fusion_11_guest_vm_rce_cve-2019-5514/

上一篇 下一篇