CVE-2019-5543
📋 TL;DR
This vulnerability allows any local user on a Windows system to write to the VMware USB arbitration service configuration folder. By exploiting this improper permissions issue, an attacker could execute arbitrary commands with the privileges of any user on the system. Affected products include VMware Horizon Client, VMware Remote Console, and VMware Workstation for Windows.
💻 Affected Systems
- VMware Horizon Client for Windows
- VMware Remote Console for Windows
- VMware Workstation for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via privilege escalation to SYSTEM or administrator accounts, enabling persistent backdoors, data theft, and lateral movement.
Likely Case
Local privilege escalation allowing attackers to gain administrative privileges on the compromised host, potentially leading to credential harvesting and further network access.
If Mitigated
Limited impact if proper access controls and least privilege principles are already implemented, though the vulnerability still provides a privilege escalation vector.
🎯 Exploit Status
Exploitation requires local user access but is straightforward once access is obtained. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: VMware Horizon Client 5.3.0+, VMware Remote Console 11.0.0+, VMware Workstation 15.5.2+
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0004.html
Restart Required: Yes
Instructions:
1. Download the latest version from VMware's official website. 2. Install the update following VMware's installation guide. 3. Restart the system to ensure all services use the updated components.
🔧 Temporary Workarounds
Restrict folder permissions
windowsManually modify the permissions on the VMware USB arbitration service configuration folder to remove write access for non-administrative users.
icacls "C:\ProgramData\VMware\USB Arbitration Service" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
🧯 If You Can't Patch
- Restrict local user access to affected systems and implement strict privilege separation
- Monitor for suspicious activity and file modifications in VMware configuration directories
🔍 How to Verify
Check if Vulnerable:
Check if the USB arbitration service folder has improper permissions: icacls "C:\ProgramData\VMware\USB Arbitration Service" and look for write permissions for Users or Everyone groups.Check Version:
For VMware Workstation: vmware -v; For Horizon Client: Check Help > About; For Remote Console: Check About dialog in applicationVerify Fix Applied:
Verify the folder permissions are restricted after patch: icacls "C:\ProgramData\VMware\USB Arbitration Service" should show only SYSTEM and Administrators with full control.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event Logs showing unexpected file modifications in VMware directories
- Process creation events from unusual locations with elevated privileges
Network Indicators:
- Unusual outbound connections from VMware processes
- Lateral movement attempts from previously compromised hosts
SIEM Query:
EventID=4688 AND (NewProcessName LIKE '%cmd.exe%' OR NewProcessName LIKE '%powershell.exe%') AND ProcessName LIKE '%VMware%'