VMware vSphere ESXi, Workstation and Fusion workaround for CVE-2019-5518 and CVE-2019-5519
search cancel

VMware vSphere ESXi, Workstation and Fusion workaround for CVE-2019-5518 and CVE-2019-5519

book

Article ID: 318679

calendar_today

Updated On:

Products

VMware Desktop Hypervisor VMware vSphere ESXi

Issue/Introduction

CVE-2019-5518 and CVE-2019-5519 have been determined to affect:

  • VMware vSphere ESXi 6.7, 6.5 & 6.0 (ESXi)
  • VMware Workstation Pro / Player 15.x & 14.x (Workstation)
  • VMware Fusion Pro / Fusion 11.x & 10.x (Fusion)

These vulnerabilities and their impact on VMware products are documented in VMSA-2019-0005. Please review this advisory before continuing as there may be considerations outside the scope of this particular document.

VMware has investigated CVE-2019-5518 and CVE-2019-5519 and determined that the possibility of exploitation can be removed by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only - permanent fixes are as detailed in VMSA-2019-0005.

Warning: This workaround is applicable ONLY to: 

  • VMware vSphere ESXi 6.7, 6.5 & 6.0 (ESXi)
  • VMware Workstation Pro / Player 15.x & 14.x (Workstation)
  • VMware Fusion Pro / Fusion 11.x & 10.x (Fusion)

Do not apply this workaround to other VMware products.

VMware vSphere ESXi Functionality Impacts:

The workaround is to remove any virtual USB 1.1 (UHCI) / 2.0 (EHCI) controllers that might be attached to the VM. Unless the VM has a virtual USB 3.0 (xHCI) controller, the VM will be left with no USB controllers at all. As a result, the
user will be unable to connect USB devices to the VM via USB passthrough. This includes both Host-Connected and Client-Connected USB passthrough:

  • Host-Connected: This has been available since vSphere 4.1, and allows a USB device plugged directly into the ESXi/ESX host to be passed through to a virtual machine.
  • Client-Connected: This feature became available with the release of vSphere 5.0, and allows a USB device plugged into a user’s workstation to be passed through to a virtual machine via the vSphere Client.



Environment

VMware Workstation Pro 15.x (Windows)
VMware Workstation Pro 14.x (for Windows)
VMware vSphere ESXi 6.0
VMware Fusion Pro 10.x
VMware vSphere ESXi 6.7
VMware Fusion Pro 11.x
VMware Workstation Pro 14.x (for Linux)
VMware Workstation Pro 15.x (Linux)
VMware vSphere ESXi 6.5

Resolution

VMware vSphere ESXi Resolution

Both vulnerabilities are in the virtual USB 1.1 (UHCI) controller. To work around the issue, the virtual USB 1.1 controller needs to be removed from the VM.

Notes:

  • The vSphere UI (vCenter Server, ESXi Embedded Host Client) only allows for the configuration of virtual USB 2.0 or virtual USB 3.0 controllers in VMs.
  • When a virtual USB 2.0 controller is added to a VM in vSphere, BOTH a virtual USB 1.1 AND a virtual USB 2.0 controller are added to the VM by default.
  • Removing the virtual USB 2.0 controller will also remove the virtual USB 1.1 controller from the VM.

To implement the workaround for CVE-2019-5518 and CVE-2019-5519, perform the following steps:

Through the vSphere User Interface (UI):

  1. Power-off the virtual machine.
  2. Right-click the virtual machine and click "Edit Settings".
  3. Remove all USB 2.0 controllers from the VM. This will also automatically remove all USB 1.1 controllers.
  4. Click "Save" to apply the new virtual machine configuration.
  5. Power-on the virtual machine.

Verify from the guest that there is no USB 1.1 / USB 2.0 controller visible to the guest.

Windows

  1. Open Windows Device Manager (Win+R and type devmgmt.msc).
  2. Expand the list of Universal Serial Bus controllers.
  3. Ensure there is no "USB Universal Host Controller" visible in the list.
  4. Ensure there is no "USB2 Enhanced Host Controller" visible in the list.

Linux

  1. Open a terminal.
  2. Type "lspci | grep -i usb" .
  3. Ensure there is no USB1.1/USB2.0 controller in the lspci output.

Mac

  1. Navigate to Apple menu > About this Mac.
  2. Click the System Report button.
  3. Go to Hardware > USB.
  4. Ensure there is no USB 1.1/USB 2.0 bus listed.

To reverse the workaround, add a USB 2.0 controller to a virtual machine. This will automatically add a USB 1.1 controller.

Through the vSphere User Interface (UI):

  1. Power-off the virtual machine.
  2. Right-click the virtual machine and click Edit Settings.
  3. Click on "Add Other Device".
  4. Click on "USB Controller".
  5. Chose USB 2.0 as the controller type.
  6. Click "Save" to apply the new virtual machine configuration.

VMware Workstation and Fusion Resolution

Both vulnerabilities are in the virtual USB 1.1 (UHCI) controller. To work around the issue the virtual USB 1.1 controller needs to be removed from the VM.

Notes:

  • The Workstation and Fusion UI allow for the configuration of virtual USB 1.1 or virtual USB 2.0 or virtual USB 3.0 controllers in VMs. 
  • When a virtual USB 2.0 controller is added to a VM in Workstation or Fusion, BOTH a virtual USB 1.1 AND a virtual USB 2.0 controller are added to the VM by default. Removing the virtual USB 2.0 controller will also remove the virtual USB 1.1 controller from the VM.
  • When a virtual USB 3.0 controller is added to a VM in Workstation or Fusion, a virtual USB 1.1 AND a virtual USB 2.0 AND a virtual USB 3.0 controller are added to the VM by default. Removing the virtual USB 3.0 controller will also remove the virtual USB 1.1 controller AND the virtual USB 2.0 controller from the VM.

Perform the following steps to remove all USB controllers, to implement the workaround for CVE-2019-5518 and CVE-2019-5519:

Through the Workstation User Interface (UI):

  1. Power-off the virtual machine.
  2. Select “VM > Settings”.
  3. Click "Hardware".
  4. Select the USB Controller device.
  5. Click "Remove".

Through the Fusion User Interface (UI):

  1. Power-off the virtual machine.
  2. Select “Window > Virtual Machine Library”.
  3. Select a virtual machine in the “Virtual Machine Library” window and click “Settings”.
  4. Under Removable Devices in the “Settings” window, click “USB & Bluetooth”.
  5. Under Advanced USB options, click “Remove USB Controller”.
  6. Click “Remove” in the confirmation dialog box.

Verify from the guest OS that there is no USB 1.1/USB 2.0/USB 3.0 controller visible to the guest.

Windows

  1. Open Windows Device Manager (Win+R and type devmgmt.msc).
  2. Expand the list of Universal Serial Bus controllers.
  3. Ensure there is no "USB Universal Host Controller" visible in the list.
  4. Ensure there is no "USB2 Enhanced Host Controller" visible in the list.
  5. Ensure there is no "USB3 eXtensible Host Controller" visible in the list.

Linux

  1. Open a terminal.
  2. Type "lspci | grep -i usb". 
  3. Ensure there is no USB1.1/USB2.0/USB 3.0 controller in the lspci output.

Mac

  1. Navigate to Apple menu > About this Mac.
  2. Click the System Report button.
  3. Go to Hardware > USB.
  4. Ensure there is no USB1.1/USB2.0/USB 3.0 bus listed.

To reverse the workaround, add a USB controller to a virtual machine:

Through the Workstation User Interface (UI):

  1. Power-off the virtual machine.
  2. Select “VM > Settings”.
  3. On the "Hardware" tab, click “Add”.
  4. In the “New Hardware” wizard, select “USB Controller”.
  5. Click “Finish” to add the USB controller.
  6. Configure the USB connection settings.

Through the Fusion User Interface (UI):

  1. Power-off the virtual machine.
  2. Select “Window > Virtual Machine Library”.
  3. Select a virtual machine in the “Virtual Machine Library” window and click “Settings”.
  4. Under Removable Devices in the “Settings” window, click “USB & Bluetooth”.
  5. Under Advanced USB options, use the drop-down menu to select how Fusion should respond when a USB device is plugged in to your Mac.

For an up-to-date information on CVE-2019-5518 and CVE-2019-5519 as well as future security information please add your email address to the "Sign up for Security Advisories" window found in VMSA-2019-0005.

Powered by Wolken Software