#VU22409 Time-of-check Time-of-use (TOCTOU) Race Condition in VMware, Inc products - CVE-2019-5519
Published: October 30, 2019
Vulnerability identifier: #VU22409
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-5519
CWE-ID:
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
VMware Fusion
VMware Workstation
VMware ESXi
VMware Fusion
VMware Workstation
VMware ESXi
Software vendor:
VMware, Inc
VMware, Inc
Description
The vulnerability allows a local attacker to execute arbitrary code on the target system.
The vulnerabity exists due to the Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). An attacker with physical access to a virtual machine with a virtual USB controller present can execute arbitrary code on the target system.
The vulnerabity exists due to the Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). An attacker with physical access to a virtual machine with a virtual USB controller present can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.