// For flags

CVE-2018-5511

VMware Workstation 14.1.5 / VMware Player 15.0.2 - Host VMX Process Impersonation Hijack Privilege Escalation

Severity Score

7.2
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.

En F5 BIG-IP, de la versión 13.1.0 a la 13.1.0.3 o en la versión 13.0.0, cuando los usuarios administrativos autenticados ejecutan comandos en el TMUI (Traffic Management User Interface), también llamado utilidad BIG-IP Configuration, podrían no aplicarse las restricciones sobre los comandos permitidos.

The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user and follows the common pattern of impersonating the user while calling CreateProcessAsUser. This is an issue as the user has the ability to replace any drive letter for themselves, which allows a non-admin user to hijack the path to the VMX executable, allowing the user to get arbitrary code running as a trusted VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.0.2.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-01-12 CVE Reserved
  • 2018-04-13 CVE Published
  • 2024-01-27 EPSS Updated
  • 2024-09-16 CVE Updated
  • 2024-09-16 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Vmware
Search vendor "Vmware"
Workstation
Search vendor "Vmware" for product "Workstation"
14.1.5
Search vendor "Vmware" for product "Workstation" and version "14.1.5"
-
Affected
in Microsoft
Search vendor "Microsoft"
Windows 10
Search vendor "Microsoft" for product "Windows 10"
*-
Safe
F5
Search vendor "F5"
Big-ip Local Traffic Manager
Search vendor "F5" for product "Big-ip Local Traffic Manager"
13.0.0
Search vendor "F5" for product "Big-ip Local Traffic Manager" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Local Traffic Manager
Search vendor "F5" for product "Big-ip Local Traffic Manager"
13.1.0
Search vendor "F5" for product "Big-ip Local Traffic Manager" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Application Acceleration Manager
Search vendor "F5" for product "Big-ip Application Acceleration Manager"
13.0.0
Search vendor "F5" for product "Big-ip Application Acceleration Manager" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Application Acceleration Manager
Search vendor "F5" for product "Big-ip Application Acceleration Manager"
13.1.0
Search vendor "F5" for product "Big-ip Application Acceleration Manager" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Advanced Firewall Manager
Search vendor "F5" for product "Big-ip Advanced Firewall Manager"
13.0.0
Search vendor "F5" for product "Big-ip Advanced Firewall Manager" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Advanced Firewall Manager
Search vendor "F5" for product "Big-ip Advanced Firewall Manager"
13.1.0
Search vendor "F5" for product "Big-ip Advanced Firewall Manager" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Analytics
Search vendor "F5" for product "Big-ip Analytics"
13.0.0
Search vendor "F5" for product "Big-ip Analytics" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Analytics
Search vendor "F5" for product "Big-ip Analytics"
13.1.0
Search vendor "F5" for product "Big-ip Analytics" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Access Policy Manager
Search vendor "F5" for product "Big-ip Access Policy Manager"
13.0.0
Search vendor "F5" for product "Big-ip Access Policy Manager" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Access Policy Manager
Search vendor "F5" for product "Big-ip Access Policy Manager"
13.1.0
Search vendor "F5" for product "Big-ip Access Policy Manager" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Application Security Manager
Search vendor "F5" for product "Big-ip Application Security Manager"
13.0.0
Search vendor "F5" for product "Big-ip Application Security Manager" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Application Security Manager
Search vendor "F5" for product "Big-ip Application Security Manager"
13.1.0
Search vendor "F5" for product "Big-ip Application Security Manager" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Edge Gateway
Search vendor "F5" for product "Big-ip Edge Gateway"
13.0.0
Search vendor "F5" for product "Big-ip Edge Gateway" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Edge Gateway
Search vendor "F5" for product "Big-ip Edge Gateway"
13.1.0
Search vendor "F5" for product "Big-ip Edge Gateway" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Global Traffic Manager
Search vendor "F5" for product "Big-ip Global Traffic Manager"
13.0.0
Search vendor "F5" for product "Big-ip Global Traffic Manager" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Global Traffic Manager
Search vendor "F5" for product "Big-ip Global Traffic Manager"
13.1.0
Search vendor "F5" for product "Big-ip Global Traffic Manager" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Link Controller
Search vendor "F5" for product "Big-ip Link Controller"
13.0.0
Search vendor "F5" for product "Big-ip Link Controller" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Link Controller
Search vendor "F5" for product "Big-ip Link Controller"
13.1.0
Search vendor "F5" for product "Big-ip Link Controller" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Policy Enforcement Manager
Search vendor "F5" for product "Big-ip Policy Enforcement Manager"
13.0.0
Search vendor "F5" for product "Big-ip Policy Enforcement Manager" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Policy Enforcement Manager
Search vendor "F5" for product "Big-ip Policy Enforcement Manager"
13.1.0
Search vendor "F5" for product "Big-ip Policy Enforcement Manager" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Webaccelerator
Search vendor "F5" for product "Big-ip Webaccelerator"
13.0.0
Search vendor "F5" for product "Big-ip Webaccelerator" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Webaccelerator
Search vendor "F5" for product "Big-ip Webaccelerator"
13.1.0
Search vendor "F5" for product "Big-ip Webaccelerator" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Websafe
Search vendor "F5" for product "Big-ip Websafe"
13.0.0
Search vendor "F5" for product "Big-ip Websafe" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Websafe
Search vendor "F5" for product "Big-ip Websafe"
13.1.0
Search vendor "F5" for product "Big-ip Websafe" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Domain Name System
Search vendor "F5" for product "Big-ip Domain Name System"
13.0.0
Search vendor "F5" for product "Big-ip Domain Name System" and version "13.0.0"
-
Affected
F5
Search vendor "F5"
Big-ip Domain Name System
Search vendor "F5" for product "Big-ip Domain Name System"
13.1.0
Search vendor "F5" for product "Big-ip Domain Name System" and version "13.1.0"
-
Affected
F5
Search vendor "F5"
Big-ip Enterprise Manager
Search vendor "F5" for product "Big-ip Enterprise Manager"
3.1.1
Search vendor "F5" for product "Big-ip Enterprise Manager" and version "3.1.1"
-
Affected
Vmware
Search vendor "Vmware"
Workstation Player
Search vendor "Vmware" for product "Workstation Player"
15.0.2
Search vendor "Vmware" for product "Workstation Player" and version "15.0.2"
-
Affected