VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
VMware ESXi 5.5 without patch ESXi550-201312001
VMware ESXi 5.1 without patch ESXi510-201310001
VMware ESXi 5.0 without patch update-from-esxi5.0-5.0_update03
VMware ESXi 4.1 without patch ESXi410-201312001
VMware ESXi 4.0 without patch ESXi400-201310001
VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201310001
a. VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual Machine file descriptors. This issue may allow an unprivileged vCenter Server user with the privilege “Add Existing Disk" to obtain read and write access to arbitrary files on ESXi or ESX. On ESX, an unprivileged local user may obtain read and write access to arbitrary files. Modifying certain files may allow for code execution after a host reboot.
Unpriviledged vCenter Server users or groups that are assigned the predefined role "Virtual Machine Power User" or "Resource Pool Administrator" have the privilege "Add Existing Disk".
The issue cannot be exploited through VMware vCloud Director.
VMware would like to thank Shanon Olsson for reporting this issue to us through JPCERT.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-5973 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
Known Issues (*)
Deploying these patches does not remediate the issue if the ESXi or ESX file /etc/vmware/configrules has been modified manually (modifying this file is uncommon). Customers who have modified this file should apply the workaround after installing the patch.
After deploying the patches, Virtual Machines that have their names ending in "-flat", "-rdm" or "-rdmp" will no longer power on. See the VMware Knowledge Base article listed under "Workaround" for a solution.
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
ESXi and ESX
ESXi550-201312001 contains ESXi550-201312101-SG
ESXi510-201310001 contains ESXi510-201310101-SG
update-from-esxi5.0-5.0_update03 contains ESXi500-201310101-SG
ESXi410-201312001 contains ESXi410-201312401-SG
ESXi400-201310001 contains ESXi400-201310401-SG
ESX410-201312001 contains ESX410-201312401-SG
ESX400-201310001 contains ESX400-201310401-SG
Initial security advisory in conjunction with the release of ESXi 5.5 patches on 2013-12-22
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
VMware security response policy
General support life cycle policy
VMware Infrastructure support life cycle policy
Copyright 2013 VMware Inc. All rights reserved.