Moderate
CVE-2019-5183
CVE-2019-5183
Description
An exploitable type confusion vulnerability exists in AMD ATIDXX64.DLL driver, versions 26.20.13031.10003, 26.20.13031.15006 and 26.20.13031.18002. A specially crafted pixel shader can cause a type confusion issue, leading to potential code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.
Add Assessment
Technical Analysis
The attacker utility for this particular vulnerability is limited by the hardware dependency. Additionally the vulnerability as described in the original disclosure can not be used for privilege escalation, only VMWare escapes.
The vmware-vmx.exe process on the host OS runs as the user which started VMware which is why the vulnerability would not yield SYSTEM privileges on the host. At the time of this writing, the vmware-vmx.exe process does not utilize the new Control Flow Guard which would make it easier to overwrite an entry in the vtable with a function pointer, aiding in exploit development.
While a failed exploit attempt would not crash the host OS because the vulnerability is not kernel mode, the VMWare guest maybe affected and become unresponsive.
Technical Analysis
This is one of a set of vulnerabilities discovered in the AMD Radeon graphics drivers for VMWare workstation by Talos including DoS vulnerabilities CVE-2019-5124, CVE-2019-5147, CVE-2019-5146. 2019-5183 is important because it allows overwriting the vtable and causing arbitrary code execution on the host OS, ~likely as a privileged~ user under vmware-vmx.exe. The breakout allows an assailant to leave the Guest OS and enter the host OS.
While it poses a risk, many mitigating factors affect the utility of the vulnerability. This is a local exploit to the guest operating system, and thus requires previous access through another means. Talos performed coordinated disclosure, so this vulnerability is already patched, allowing a fast mitigation strategy. Further, given the limited and local nature of VMWare workstation, as well as the necessity for a specific driver to be in use, the reduced surface area for attackers decreases the return on investment to develop an attack which to my knowledge has not been seen in the wild, yet.
Bottom line is that this poses a risk and should be addressed, but it is not a scary, immediate risk. Continue to patch through patching cycles and add signatures to IDS systems, but unless you have a very aggressive threat model, this is not an immediate threat.
CVSS V3 Severity and Metrics
General Information
Vendors
- amd
Products
- atidxx64 26.20.13031.10003,
- atidxx64 26.20.13031.15006,
- atidxx64 26.20.13031.18002
References
Good catch on the vmware-vmx process; I’d assumed it would be high privilege!