VMware ESXi and ESX unauthorized file access through vCenter Server and ESX

Apply the missing patch(es).

a. VMware ESXi and ESX unauthorized file access through vCenter Server and ESX VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual Machine file descriptors. This issue may allow an unprivileged vCenter Server user with the privilege "Add Existing Disk" to obtain read and write access to arbitrary files on ESXi or ESX. On ESX, an unprivileged local user may obtain read and write access to arbitrary files. Modifying certain files may allow for code execution after a host reboot. Unpriviledged vCenter Server users or groups that are assigned the predefined role "Virtual Machine Power User" or "Resource Pool Administrator" have the privilege "Add Existing Disk". The issue cannot be exploited through VMware vCloud Director. Workaround A workaround is provided in VMware Knowledge Base article 2066856. Mitigation In a default vCenter Server installation no unprivileged users or groups are assigned the predefined role "Virtual Machine Power User" or "Resource Pool Administrator". Restrict the number of vCenter Server users that have the privilege "Add Existing Disk".

VMware ESXi 5.5 without patch ESXi550-201312001 VMware ESXi 5.1 without patch ESXi510-201310001 VMware ESXi 5.0 without patch update-from-esxi5.0-5.0_update03 VMware ESXi 4.1 without patch ESXi410-201312001 VMware ESXi 4.0 without patch ESXi400-201310001 VMware ESX 4.1 without patch ESX410-201312001 VMware ESX 4.0 without patch ESX400-201310001

Checks for missing patches.

• http://www.vmware.com/security/advisories/VMSA-2013-0016.html

---

Updated on 2015-03-25