VMWare Fusion APIs available without auth via web socket (CVE-2019-5514)

VMware Fusion (11.x before 11.0.3) contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines.

Recent assessments:

jrobles-r7 at May 28, 2019 6:57pm UTC reported:

From the theevilbit write-up I can’t tell if arguments can be provided to the programs that are launched in the VMs. If arguments can be provided to the launched programs then this would be worse.

busterb at May 28, 2019 6:44pm UTC reported:

From the theevilbit write-up I can’t tell if arguments can be provided to the programs that are launched in the VMs. If arguments can be provided to the launched programs then this would be worse.

space-r7 at May 28, 2019 6:43pm UTC reported:

From the theevilbit write-up I can’t tell if arguments can be provided to the programs that are launched in the VMs. If arguments can be provided to the launched programs then this would be worse.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 2