CVE-2018-5511
VMware Workstation 14.1.5 / VMware Player 15.0.2 - Host VMX Process Impersonation Hijack Privilege Escalation
Severity Score
7.2
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.
En F5 BIG-IP, de la versión 13.1.0 a la 13.1.0.3 o en la versión 13.0.0, cuando los usuarios administrativos autenticados ejecutan comandos en el TMUI (Traffic Management User Interface), también llamado utilidad BIG-IP Configuration, podrían no aplicarse las restricciones sobre los comandos permitidos.
The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user and follows the common pattern of impersonating the user while calling CreateProcessAsUser. This is an issue as the user has the ability to replace any drive letter for themselves, which allows a non-admin user to hijack the path to the VMX executable, allowing the user to get arbitrary code running as a trusted VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.0.2.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-01-12 CVE Reserved
- 2018-04-13 CVE Published
- 2024-01-27 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/152213/VMware-Host-VMX-Process-Impersonation-Hijack-Privilege-Escalation.html | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/46600 | 2024-09-16 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://support.f5.com/csp/article/K30500703 | 2019-10-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vmware Search vendor "Vmware" | Workstation Search vendor "Vmware" for product "Workstation" | 14.1.5 Search vendor "Vmware" for product "Workstation" and version "14.1.5" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows 10 Search vendor "Microsoft" for product "Windows 10" | * | - |
Safe
|
| F5 Search vendor "F5" | Big-ip Local Traffic Manager Search vendor "F5" for product "Big-ip Local Traffic Manager" | 13.0.0 Search vendor "F5" for product "Big-ip Local Traffic Manager" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Local Traffic Manager Search vendor "F5" for product "Big-ip Local Traffic Manager" | 13.1.0 Search vendor "F5" for product "Big-ip Local Traffic Manager" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Acceleration Manager Search vendor "F5" for product "Big-ip Application Acceleration Manager" | 13.0.0 Search vendor "F5" for product "Big-ip Application Acceleration Manager" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Acceleration Manager Search vendor "F5" for product "Big-ip Application Acceleration Manager" | 13.1.0 Search vendor "F5" for product "Big-ip Application Acceleration Manager" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Advanced Firewall Manager Search vendor "F5" for product "Big-ip Advanced Firewall Manager" | 13.0.0 Search vendor "F5" for product "Big-ip Advanced Firewall Manager" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Advanced Firewall Manager Search vendor "F5" for product "Big-ip Advanced Firewall Manager" | 13.1.0 Search vendor "F5" for product "Big-ip Advanced Firewall Manager" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Analytics Search vendor "F5" for product "Big-ip Analytics" | 13.0.0 Search vendor "F5" for product "Big-ip Analytics" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Analytics Search vendor "F5" for product "Big-ip Analytics" | 13.1.0 Search vendor "F5" for product "Big-ip Analytics" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Access Policy Manager Search vendor "F5" for product "Big-ip Access Policy Manager" | 13.0.0 Search vendor "F5" for product "Big-ip Access Policy Manager" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Access Policy Manager Search vendor "F5" for product "Big-ip Access Policy Manager" | 13.1.0 Search vendor "F5" for product "Big-ip Access Policy Manager" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Security Manager Search vendor "F5" for product "Big-ip Application Security Manager" | 13.0.0 Search vendor "F5" for product "Big-ip Application Security Manager" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Security Manager Search vendor "F5" for product "Big-ip Application Security Manager" | 13.1.0 Search vendor "F5" for product "Big-ip Application Security Manager" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Edge Gateway Search vendor "F5" for product "Big-ip Edge Gateway" | 13.0.0 Search vendor "F5" for product "Big-ip Edge Gateway" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Edge Gateway Search vendor "F5" for product "Big-ip Edge Gateway" | 13.1.0 Search vendor "F5" for product "Big-ip Edge Gateway" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Global Traffic Manager Search vendor "F5" for product "Big-ip Global Traffic Manager" | 13.0.0 Search vendor "F5" for product "Big-ip Global Traffic Manager" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Global Traffic Manager Search vendor "F5" for product "Big-ip Global Traffic Manager" | 13.1.0 Search vendor "F5" for product "Big-ip Global Traffic Manager" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Link Controller Search vendor "F5" for product "Big-ip Link Controller" | 13.0.0 Search vendor "F5" for product "Big-ip Link Controller" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Link Controller Search vendor "F5" for product "Big-ip Link Controller" | 13.1.0 Search vendor "F5" for product "Big-ip Link Controller" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Policy Enforcement Manager Search vendor "F5" for product "Big-ip Policy Enforcement Manager" | 13.0.0 Search vendor "F5" for product "Big-ip Policy Enforcement Manager" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Policy Enforcement Manager Search vendor "F5" for product "Big-ip Policy Enforcement Manager" | 13.1.0 Search vendor "F5" for product "Big-ip Policy Enforcement Manager" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Webaccelerator Search vendor "F5" for product "Big-ip Webaccelerator" | 13.0.0 Search vendor "F5" for product "Big-ip Webaccelerator" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Webaccelerator Search vendor "F5" for product "Big-ip Webaccelerator" | 13.1.0 Search vendor "F5" for product "Big-ip Webaccelerator" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Websafe Search vendor "F5" for product "Big-ip Websafe" | 13.0.0 Search vendor "F5" for product "Big-ip Websafe" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Websafe Search vendor "F5" for product "Big-ip Websafe" | 13.1.0 Search vendor "F5" for product "Big-ip Websafe" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Domain Name System Search vendor "F5" for product "Big-ip Domain Name System" | 13.0.0 Search vendor "F5" for product "Big-ip Domain Name System" and version "13.0.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Domain Name System Search vendor "F5" for product "Big-ip Domain Name System" | 13.1.0 Search vendor "F5" for product "Big-ip Domain Name System" and version "13.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Enterprise Manager Search vendor "F5" for product "Big-ip Enterprise Manager" | 3.1.1 Search vendor "F5" for product "Big-ip Enterprise Manager" and version "3.1.1" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Workstation Player Search vendor "Vmware" for product "Workstation Player" | 15.0.2 Search vendor "Vmware" for product "Workstation Player" and version "15.0.2" | - |
Affected
| ||||||