VMware vSphere ESXi Resolution
Both vulnerabilities are in the virtual USB 1.1 (UHCI) controller. To work around the issue, the virtual USB 1.1 controller needs to be removed from the VM.
Notes:
- The vSphere UI (vCenter Server, ESXi Embedded Host Client) only allows for the configuration of virtual USB 2.0 or virtual USB 3.0 controllers in VMs.
- When a virtual USB 2.0 controller is added to a VM in vSphere, BOTH a virtual USB 1.1 AND a virtual USB 2.0 controller are added to the VM by default.
- Removing the virtual USB 2.0 controller will also remove the virtual USB 1.1 controller from the VM.
To implement the workaround for CVE-2019-5518 and CVE-2019-5519, perform the following steps:
Through the vSphere User Interface (UI):
- Power-off the virtual machine.
- Right-click the virtual machine and click "Edit Settings".
- Remove all USB 2.0 controllers from the VM. This will also automatically remove all USB 1.1 controllers.
- Click "Save" to apply the new virtual machine configuration.
- Power-on the virtual machine.
Verify from the guest that there is no USB 1.1 / USB 2.0 controller visible to the guest.
Windows
- Open Windows Device Manager (Win+R and type devmgmt.msc).
- Expand the list of Universal Serial Bus controllers.
- Ensure there is no "USB Universal Host Controller" visible in the list.
- Ensure there is no "USB2 Enhanced Host Controller" visible in the list.
Linux
- Open a terminal.
- Type "lspci | grep -i usb" .
- Ensure there is no USB1.1/USB2.0 controller in the lspci output.
Mac
- Navigate to Apple menu > About this Mac.
- Click the System Report button.
- Go to Hardware > USB.
- Ensure there is no USB 1.1/USB 2.0 bus listed.
To reverse the workaround, add a USB 2.0 controller to a virtual machine. This will automatically add a USB 1.1 controller.
Through the vSphere User Interface (UI):
- Power-off the virtual machine.
- Right-click the virtual machine and click Edit Settings.
- Click on "Add Other Device".
- Click on "USB Controller".
- Chose USB 2.0 as the controller type.
- Click "Save" to apply the new virtual machine configuration.
VMware Workstation and Fusion Resolution
Both vulnerabilities are in the virtual USB 1.1 (UHCI) controller. To work around the issue the virtual USB 1.1 controller needs to be removed from the VM.
Notes:
- The Workstation and Fusion UI allow for the configuration of virtual USB 1.1 or virtual USB 2.0 or virtual USB 3.0 controllers in VMs.
- When a virtual USB 2.0 controller is added to a VM in Workstation or Fusion, BOTH a virtual USB 1.1 AND a virtual USB 2.0 controller are added to the VM by default. Removing the virtual USB 2.0 controller will also remove the virtual USB 1.1 controller from the VM.
- When a virtual USB 3.0 controller is added to a VM in Workstation or Fusion, a virtual USB 1.1 AND a virtual USB 2.0 AND a virtual USB 3.0 controller are added to the VM by default. Removing the virtual USB 3.0 controller will also remove the virtual USB 1.1 controller AND the virtual USB 2.0 controller from the VM.
Perform the following steps to remove all USB controllers, to implement the workaround for CVE-2019-5518 and CVE-2019-5519:
Through the Workstation User Interface (UI):
- Power-off the virtual machine.
- Select “VM > Settings”.
- Click "Hardware".
- Select the USB Controller device.
- Click "Remove".
Through the Fusion User Interface (UI):
- Power-off the virtual machine.
- Select “Window > Virtual Machine Library”.
- Select a virtual machine in the “Virtual Machine Library” window and click “Settings”.
- Under Removable Devices in the “Settings” window, click “USB & Bluetooth”.
- Under Advanced USB options, click “Remove USB Controller”.
- Click “Remove” in the confirmation dialog box.
Verify from the guest OS that there is no USB 1.1/USB 2.0/USB 3.0 controller visible to the guest.
Windows
- Open Windows Device Manager (Win+R and type devmgmt.msc).
- Expand the list of Universal Serial Bus controllers.
- Ensure there is no "USB Universal Host Controller" visible in the list.
- Ensure there is no "USB2 Enhanced Host Controller" visible in the list.
- Ensure there is no "USB3 eXtensible Host Controller" visible in the list.
Linux
- Open a terminal.
- Type "lspci | grep -i usb".
- Ensure there is no USB1.1/USB2.0/USB 3.0 controller in the lspci output.
Mac
- Navigate to Apple menu > About this Mac.
- Click the System Report button.
- Go to Hardware > USB.
- Ensure there is no USB1.1/USB2.0/USB 3.0 bus listed.
To reverse the workaround, add a USB controller to a virtual machine:
Through the Workstation User Interface (UI):
- Power-off the virtual machine.
- Select “VM > Settings”.
- On the "Hardware" tab, click “Add”.
- In the “New Hardware” wizard, select “USB Controller”.
- Click “Finish” to add the USB controller.
- Configure the USB connection settings.
Through the Fusion User Interface (UI):
- Power-off the virtual machine.
- Select “Window > Virtual Machine Library”.
- Select a virtual machine in the “Virtual Machine Library” window and click “Settings”.
- Under Removable Devices in the “Settings” window, click “USB & Bluetooth”.
- Under Advanced USB options, use the drop-down menu to select how Fusion should respond when a USB device is plugged in to your Mac.
For an up-to-date information on CVE-2019-5518 and CVE-2019-5519 as well as future security information please add your email address to the "
Sign up for Security Advisories" window found in
VMSA-2019-0005.