CVE-2019-5544
Published: 06 December 2019
Summary
CVE-2019-5544 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Vmware Esxi. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
OpenSLP as used in VMware ESXi and Horizon DaaS appliances contains a heap overwrite vulnerability tracked as CVE-2019-5544. The flaw is assigned CWE-787 and carries a CVSSv3 base score of 9.8 reflecting network attack vector, low attack complexity, and no required privileges or user interaction. VMware rates the issue as critical.
An unauthenticated attacker with network access can send specially crafted SLP packets that trigger the out-of-bounds write, resulting in full compromise of confidentiality, integrity, and availability on the affected system.
Public advisories such as VMware VMSA-2019-0022 and the associated Red Hat errata RHSA-2019:4240 and RHSA-2020:0199 describe available patches and updated OpenSLP packages that remediate the flaw.
No information on observed in-the-wild exploitation is provided in the source references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-15119
Vulnerability details
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches referenced in VMSA-2019-0022 that eliminate the heap overwrite flaw in OpenSLP.
Blocks unauthenticated network access to the SLP service, preventing an attacker from sending the crafted packets that trigger the out-of-bounds write.
Disables or restricts the OpenSLP service when not required, eliminating the attack surface that allows remote unauthenticated exploitation.