====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN382

_____________________________________________________________________

DATE                : 06/12/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware ESXi, VMware Horizon DaaS.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2019-0022.html
_____________________________________________________________________

Advisory ID             VMSA-2019-0022
Advisory Severity       Critical
CVSSv3 Range            9.8

Synopsis 	VMware ESXi and Horizon DaaS updates address OpenSLP
                remote code execution vulnerability (CVE-2019-5544)
Issue Date              2019-12-05
Updated On              2019-12-05 (Initial Advisory)
CVE(s)                  CVE-2019-5544


1. Impacted Products

    VMware ESXi
    VMware Horizon DaaS


2. Introduction

A vulnerability in OpenSLP was privately reported to VMware. Patches
and workarounds are available to address this vulnerability in affected
VMware products.


3. VMware ESXi and Horizon DaaS updates address OpenSLP remote code
execution vulnerability (CVE-2019-5544)

Description:
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap
overwrite issue. VMware has evaluated the severity of this issue to be
in the Critical severity range with a maximum CVSSv3 base score of 9.8.


Known Attack Vectors:

A malicious actor with network access to port 427 on an ESXi host or on
any Horizon DaaS management appliance may be able to overwrite the heap
of the OpenSLP service resulting in remote code execution.


Resolution:

To remediate CVE-2019-5544 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' below.


Workarounds:

Workarounds for CVE-2019-5544 have been documented in the VMware
Knowledge Base articles listed in the 'Workarounds' column of the
'Response Matrix' below.



Additional Documentation:

 None.


Notes:

 None.


Acknowledgements:

VMware would like to thank the 360Vulcan team working with the 2019
Tianfu Cup Pwn Contest for reporting this issue to us.


Response Matrix:

Product 	Version 	Running On 	CVE Identifier 	CVSSV3 	Severity 	Fixed
Version 	Workarounds 	Additional Documents

ESXi 	6.7 	Any 	CVE-2019-5544 	9.8 	Critical 	ESXi670-201912001
KB76372 	None

ESXi 	6.5 	Any 	CVE-2019-5544 	9.8 	Critical 	ESXi650-201912001
KB76372 	None

ESXi 	6.0 	Any 	CVE-2019-5544 	9.8 	Critical 	ESXi600-201912001
KB76372 	None

Horizon DaaS 	8.x 	Virtual Appliance 	CVE-2019-5544 	9.8 	Critical
Patch Pending 	KB76411 	None


4. References


Fixed Version(s) and Release Notes:



ESXi 6.7 Patch Release ESXi670-201912001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-201912001.html


ESXi 6.5 Patch Release ESXi650-201912001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201912001.html


ESXi 6.0 Patch Release ESXi600-201912001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201912001.html


Workarounds:

https://kb.vmware.com/s/article/76372

https://kb.vmware.com/s/article/76411


FIRST CVSSv3 Calculator:
CVE-2019-5544 -
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5544


5. Change log

2019-12-05: VMSA-2019-0022

Initial security advisory in conjunction with the release of ESXi
patches on 2019-12-05.


6. Contact


E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:
  security-announce@lists.vmware.com
  bugtraq@securityfocus.com
  fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC


Copyright 2019 VMware Inc. All rights reserved.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================