Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

VMSA-2013-0016 VMware ESXi and ESX unauthorized file access through vCenter Server and ESX

Information

Severity

Severity

Medium

Family

Family

VMware Local Security Checks

CVSSv2 Base

CVSSv2 Base

4.4

CVSSv2 Vector

CVSSv2 Vector

AV:L/AC:M/Au:N/C:P/I:P/A:P

Solution Type

Solution Type

Vendor Patch

Created

Created

10 years ago

Modified

Modified

5 years ago

Summary

VMware ESXi and ESX unauthorized file access through vCenter Server and ESX

Insight

Insight

a. VMware ESXi and ESX unauthorized file access through vCenter Server and ESX VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual Machine file descriptors. This issue may allow an unprivileged vCenter Server user with the privilege 'Add Existing Disk' to obtain read and write access to arbitrary files on ESXi or ESX. On ESX, an unprivileged local user may obtain read and write access to arbitrary files. Modifying certain files may allow for code execution after a host reboot. Unpriviledged vCenter Server users or groups that are assigned the predefined role 'Virtual Machine Power User' or 'Resource Pool Administrator' have the privilege 'Add Existing Disk'. The issue cannot be exploited through VMware vCloud Director. Workaround A workaround is provided in VMware Knowledge Base article 2066856. Mitigation In a default vCenter Server installation no unprivileged users or groups are assigned the predefined role 'Virtual Machine Power User' or 'Resource Pool Administrator'. Restrict the number of vCenter Server users that have the privilege 'Add Existing Disk'.

Affected Software

Affected Software

VMware ESXi 5.5 without patch ESXi550-201312001 VMware ESXi 5.1 without patch ESXi510-201310001 VMware ESXi 5.0 without patch update-from-esxi5.0-5.0_update03 VMware ESXi 4.1 without patch ESXi410-201312001 VMware ESXi 4.0 without patch ESXi400-201310001 VMware ESX 4.1 without patch ESX410-201312001 VMware ESX 4.0 without patch ESX400-201310001

Detection Method

Detection Method

Checks for missing patches.

Solution

Solution

Apply the missing patch(es).

Common Vulnerabilities and Exposures (CVE)