VMware ESXi 4.0 through 5.5 and ESX 4.0 and 4.1 allow local users to read or modify arbitrary files by leveraging the Virtual Machine Power User or Resource Pool Administrator role for a vCenter Server Add Existing Disk action with a (1) -flat, (2) -rdm, or (3) -rdmp filename.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by an arbitrary file modification vulnerability due to improper handling of certain Virtual Machine file descriptors. A local attacker can exploit this to read or modify arbitrary files.

The remote VMware ESXi 5.5 host is affected by an error in the handling of certain Virtual Machine file descriptors. This could allow an unprivileged user with the 'Add Existing Disk' privilege to obtain read and write access to arbitrary files, possibly leading to arbitrary code execution after a host reboot.

The remote VMware ESXi 5.1 host is affected by an error in the handling of certain Virtual Machine file descriptors. This could allow an unprivileged user with the 'Add Existing Disk' privilege to obtain read and write access to arbitrary files, possibly leading to arbitrary code execution after a host reboot.

a. VMware ESXi and ESX unauthorized file access through vCenter Server and

The remote VMware ESXi 5.1 host is affected by the following security vulnerabilities :

  - An integer overflow condition exists in the glibc     library in the __tzfile_read() function that allows a     denial of service or arbitrary code execution.
    (CVE-2009-5029)

  - An error exists in the glibc library related to modified     loaders and 'LD_TRACE_LOADED_OBJECTS' checks that allow     arbitrary code execution. This issue is disputed by the     creators of glibc. (CVE-2009-5064)

  - An integer signedness error exists in the     elf_get_dynamic_info() function in elf/dynamic-link.h     that allows arbitrary code execution. (CVE-2010-0830)

  - An error exists in the glibc library in the addmntent()     function that allows a corruption of the '/etc/mtab'     file. (CVE-2011-1089)

  - An error exists in the libxslt library in the     xsltGenerateIdFunction() function that allows the     disclosure of sensitive information. (CVE-2011-1202)

  - An off-by-one overflow condition exists in the     xmlXPtrEvalXPtrPart() function due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this, via a specially     crafted XML file, to cause a denial of service condition     or the execution of arbitrary code. (CVE-2011-3102)

  - An out-of-bounds read error exists in the libxslt     library in the xsltCompilePatternInternal() function     that allows a denial of service. (CVE-2011-3970)

  - An error exists in the glibc library in the svc_run()     function that allows a denial of service.
    (CVE-2011-4609)

  - An overflow error exists in the glibc library in the     printf() function related to 'nargs' parsing that allows     arbitrary code execution. (CVE-2012-0864)

  - Multiple integer overflow conditions exist due to     improper validation of user-supplied input when handling     overly long strings. An unauthenticated, remote     attacker can exploit this, via a specially crafted XML     file, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2012-2807)

  - Multiple type-confusion errors exist in the     'IS_XSLT_ELEM' macro and the xsltApplyTemplates()     function that allow a denial of service or the     disclosure of sensitive information. (CVE-2012-2825,     CVE-2012-2871)

  - A use-after-free error exists in the libxslt library in     the xsltGenerateIdFunction() function that allows a     denial of service or arbitrary code execution.
    (CVE-2012-2870)

  - Multiple format string error exist in glibc that allow     arbitrary code execution. (CVE-2012-3404, CVE-2012-3405,     CVE-2012-3406)

  - Multiple overflow errors exist in the glibc functions     strtod(), strtof(), strtold(), and strtod_l() that allow     arbitrary code execution. (CVE-2012-3480)

  - A heap-based underflow condition exists in the bundled     libxml2 library due to incorrect parsing of strings not     containing an expected space. A remote attacker can     exploit this, via a specially crafted XML document, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2012-5134)

  - An arbitrary file modification vulnerability due to     improper handling of certain Virtual Machine file     descriptors. A local attacker can exploit this to read     or modify arbitrary files. (CVE-2013-5973)

The remote VMware ESXi 5.0 host is affected by the following security vulnerabilities :

  - Multiple errors exist related to OpenSSL that could     allow information disclosure or denial of service     attacks. (CVE-2013-0166, CVE-2013-0169)

  - An error exists in the libxml2 library related to the     expansion of XML internal entities. An attacker can     exploit this to cause a denial of service. (CVE-2013-0338)

  - An unspecified error exists related to 'hostd-vmdb'. An     attacker can exploit this to cause a denial of service.
    (CVE-2013-5970)

  - An error exists in the handling of certain Virtual     Machine file descriptors. This may allow an unprivileged     user with the 'Add Existing Disk' privilege to obtain     read and write access to arbitrary files, possibly     leading to arbitrary code execution after a host reboot.
    (CVE-2013-5973)

  - A NULL pointer dereference flaw exists in the handling     of Network File Copy (NFC) traffic. This issue may lead     to a denial of service if an attacker intercepts and     modifies the NFC traffic. (CVE-2014-1207)

  - A denial of service vulnerability exists in the handling     of invalid ports that could allow a guest user to crash     the VMX process. (CVE-2014-1208)

ID	Name	Product	Family	Severity
89671	VMware ESX / ESXi Arbitrary File Modification (VMSA-2013-0016) (remote check)	Nessus	Misc.	medium
71774	ESXi 5.5 < Build 1474526 File Descriptors Privilege Escalation (remote check)	Nessus	Misc.	medium
71773	ESXi 5.1 < Build 1312873 File Descriptors Privilege Escalation (remote check)	Nessus	Misc.	medium
71617	VMSA-2013-0016 : VMware ESXi and ESX unauthorized file access through vCenter Server and ESX	Nessus	VMware ESX Local Security Checks	medium
70886	ESXi 5.1 < Build 1063671 Multiple Vulnerabilities (remote check)	Nessus	Misc.	medium
70879	ESXi 5.0 < Build 1311175 Multiple Vulnerabilities (remote check)	Nessus	Misc.	medium

Detections

Analytics

CVE-2013-5973

high

Tenable Plugins

medium

medium

medium

medium

medium

medium