lgtosync.sys in VMware Workstation 9.x before 9.0.3, VMware Player 5.x before 5.0.3, VMware Fusion 5.x before 5.0.4, VMware ESXi 4.0 through 5.1, and VMware ESX 4.0 and 4.1, when a 32-bit Windows guest OS is used, allows guest OS users to gain guest OS privileges via an application that performs a crafted memory allocation.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by a privilege escalation vulnerability due to improper handling of control code in the lgtosync.sys driver. A local attacker can exploit this escalate privileges on Windows-based 32-bit guest operating systems.

The installed version of VMware Player 5.x running on Windows is earlier than 5.0.3.  It therefore reportedly contains a vulnerability in its handling in the LGTOSYNC.SYS driver.  This issue could allow a local, malicious user to escalate privileges on 32-bit Guest Operating Systems running Windows XP. 

Note that by exploiting this issue, a local attacker could elevate his privileges only on the Guest OS and not on the host.

The version of VMware Fusion 5.x installed on the remote Mac OS X host is prior to 5.0.4.  It is, therefore, reportedly affected by a privilege escalation vulnerability in the LGTOSYNC.SYS driver on 32-bit Guest Operating Systems running Windows XP. 

Note that by exploiting this issue, a local attacker could elevate his privileges only on the Guest Operating System and not on the host.

a. VMware LGTOSYNC privilege escalation.

   VMware ESX, Workstation and Fusion contain a vulnerability    in the handling of control code in lgtosync.sys. A local    malicious user may exploit this vulnerability to manipulate the    memory allocation. This could result in a privilege    escalation on 32-bit Guest Operating Systems running Windows 2000    Server, Windows XP or Windows 2003 Server on ESXi and ESX; or    Windows XP on Workstation and Fusion.

   The vulnerability does not allow for privilege escalation    from the Guest Operating System to the host. This means    that host memory can not be manipulated from the Guest    Operating System.

   VMware would like to thank Derek Soeder of Cylance, Inc. for    reporting this issue to us. 

   The Common Vulnerabilityies and Exposures project (cve.mitre.org)    has assigned the name CVE-2013-3519 to this issue.

The installed version of VMware Workstation 9.x is prior to 9.0.3. It is, therefore, affected by multiple local privilege escalation vulnerabilities :

  - An issue exists in the handling of shared libraries     that could allow a local, malicious user to escalate     privileges on Linux hosts. (CVE-2013-5972 /     VMSA-2013-0013)

  - An issue exists in the handling of the LGTOSYNC.SYS     driver on Windows hosts that could allow a local,     malicious user to escalate privileges on 32-bit Guest     Operating Systems running Windows XP. Note that by     exploiting this issue, a local attacker could elevate     his privileges only on the Guest Operating System and     not on the host. (CVE-2013-3519 / VMSA-2013-0014)

The remote VMware ESXi 5.0 host is affected by the following vulnerabilities :

  - An off-by-one overflow condition exists in the     xmlXPtrEvalXPtrPart() function due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this, via a specially     crafted XML file, to cause a denial of service condition     or the execution of arbitrary code. (CVE-2011-3102)

  - Multiple integer overflow conditions exist due to     improper validation of user-supplied input when handling     overly long strings. An unauthenticated, remote     attacker can exploit this, via a specially crafted XML     file, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2012-2807)

  - A heap-based underflow condition exists in the bundled     libxml2 library due to incorrect parsing of strings not     containing an expected space. A remote attacker can     exploit this, via a specially crafted XML document, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2012-5134)

  - A privilege escalation vulnerability exists due to     improper handling of control code in the lgtosync.sys     driver. A local attacker can exploit this escalate     privileges on Windows-based 32-bit guest operating     systems. (CVE-2013-3519)

ID	Name	Product	Family	Severity
89669	VMware ESX / ESXi Guest OS Local Privilege Escalation (VMSA-2013-0014) (remote check)	Nessus	Misc.	high
71231	VMware Player 5.x < 5.0.3 LGTOSYNC.SYS Guest Privilege Escalation (VMSA-2013-0014)	Nessus	Windows	high
71230	VMware Fusion 5.x < 5.0.4 LGTOSYNC.SYS Privilege Escalation (VMSA-2013-0014)	Nessus	MacOS X Local Security Checks	high
71214	VMSA-2013-0014 : VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation	Nessus	VMware ESX Local Security Checks	high
71054	VMware Workstation 9.x < 9.0.3 Multiple Privilege Escalation Vulnerabilities (VMSA-2013-0013 / VMSA-2013-0014)	Nessus	General	high
70877	ESXi 5.0 < Build 1022489 Multiple Vulnerabilities (remote check)	Nessus	Misc.	high

Detections

Analytics

CVE-2013-3519

high

Tenable Plugins

high

high

high

high

high

high