Anfälligkeitssuche        Suche in 172616 CVE Beschreibungen
und 81291 Test Beschreibungen,
Zugriff auf 10,000+ Quellverweise.
Tests   CVE   Alle  

Test Kennung:1.3.6.1.4.1.25623.1.0.103863
Kategorie:VMware Local Security Checks
Titel:VMware ESXi/ESX unauthorized file access through vCenter Server and ESX (VMSA-2013-0016)
Zusammenfassung:VMware ESXi and ESX unauthorized file access through vCenter Server and ESX.
Beschreibung:Summary:
VMware ESXi and ESX unauthorized file access through vCenter Server and ESX.

Vulnerability Insight:
a. VMware ESXi and ESX unauthorized file access through vCenter Server and ESX

VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual
Machine file descriptors. This issue may allow an unprivileged vCenter Server
user with the privilege 'Add Existing Disk' to obtain read and write access to
arbitrary files on ESXi or ESX. On ESX, an unprivileged local user may obtain
read and write access to arbitrary files. Modifying certain files may allow
for code execution after a host reboot.

Unpriviledged vCenter Server users or groups that are assigned the predefined
role 'Virtual Machine Power User' or 'Resource Pool Administrator' have the
privilege 'Add Existing Disk'.

The issue cannot be exploited through VMware vCloud Director.

Affected Software/OS:
VMware ESXi 5.5 without patch ESXi550-201312001

VMware ESXi 5.1 without patch ESXi510-201310001

VMware ESXi 5.0 without patch update-from-esxi5.0-5.0_update03

VMware ESXi 4.1 without patch ESXi410-201312001

VMware ESXi 4.0 without patch ESXi400-201310001

VMware ESX 4.1 without patch ESX410-201312001

VMware ESX 4.0 without patch ESX400-201310001

Solution:
Apply the missing patch(es).

Workaround

A workaround is provided in VMware Knowledge Base article 2066856.

Mitigation

In a default vCenter Server installation no unprivileged users or groups
are assigned the predefined role 'Virtual Machine Power User' or 'Resource
Pool Administrator'. Restrict the number of vCenter Server users that have
the privilege 'Add Existing Disk'.

CVSS Score:
4.4

CVSS Vector:
AV:L/AC:M/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2013-5973
BugTraq ID: 64491
http://www.securityfocus.com/bid/64491
Bugtraq: 20131223 NEW VMSA-2013-0016 VMware ESXi and ESX unauthorized file access through vCenter Server and ESX (Google Search)
http://www.securityfocus.com/archive/1/530482/100/0/threaded
http://jvn.jp/en/jp/JVN13154935/index.html
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000123.html
http://osvdb.org/101387
http://www.securitytracker.com/id/1029529
XForce ISS Database: vmware-esx-esxi-cve20135973-sec-bypass(89938)
https://exchange.xforce.ibmcloud.com/vulnerabilities/89938
CopyrightCopyright (C) 2013 Greenbone Networks GmbH

Dies ist nur einer von 81291 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.

Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.




© 1998-2020 E-Soft Inc. Alle Rechte vorbehalten.