Preface: Are GPU vulnerable to hacker attacks?

Background: On virtual machines running VMware Fusion provides support for OpenGL 2.1 to support 3D accelerated desktops. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

Vulnerability details:

CVE-2019-5521 – may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host.

CVE-2019-5684 – This vulnerability can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of this issue may lead to code execution on the host.

Security Focus: Since no additional details provided by vendor. But believe that the possible way let hacker exploit CVE-2019-5521 design weakness is Perfect Timing Attacks (Please refer to photo). Apart from that the hacker can exploit out of bound read / write to bypass address space layout randomization (ASLR). So, be alerted!

Vendor announcement: please refer to the url – https://www.vmware.com/security/advisories/VMSA-2019-0012.html