Attacker Value
High
(3 users assessed)
Exploitability
Low
(3 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

VMWare Fusion APIs available without auth via web socket (CVE-2019-5514)

Disclosure Date: April 01, 2019 Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

VMware Fusion (11.x before 11.0.3) contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines.

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Low
Technical Analysis

From the theevilbit write-up I can’t tell if arguments can be provided to the programs that are launched in the VMs. If arguments can be provided to the launched programs then this would be worse.

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Very Low
Technical Analysis

 This need some sort of vector to trick the user. Probably not that hard via watering hole attack somewhere that vmware user congregate.

General Information

Additional Info

Technical Analysis