| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.9 | $0-$5k | 0.00 |
A vulnerability was found in VMware ESX and ESXi (Virtualization Software) (version unknown). It has been classified as problematic. Affected is an unknown function of the component vCenter Server. The manipulation with an unknown input leads to a access control vulnerability (File). CWE is classifying the issue as CWE-264. This is going to have an impact on confidentiality, and integrity. CVE summarizes:
VMware ESXi 4.0 through 5.5 and ESX 4.0 and 4.1 allow local users to read or modify arbitrary files by leveraging the Virtual Machine Power User or Resource Pool Administrator role for a vCenter Server Add Existing Disk action with a (1) -flat, (2) -rdm, or (3) -rdmp filename.
The weakness was shared 12/22/2013 by Shanon Olsson with JPCERT as VMSA-2013-0016 as confirmed advisory (Website). The advisory is available at vmware.com. This vulnerability is traded as CVE-2013-5973 since 10/01/2013. Local access is required to approach this attack. The successful exploitation requires a authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1068 by the MITRE ATT&CK project. The advisory points out:
VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual Machine file descriptors. This issue may allow an unprivileged vCenter Server user with the privilege “Add Existing Disk" to obtain read and write access to arbitrary files on ESXi or ESX. On ESX, an unprivileged local user may obtain read and write access to arbitrary files. Modifying certain files may allow for code execution after a host reboot.
The vulnerability scanner Nessus provides a plugin with the ID 71774 (ESXi 5.5 < Build 1474526 File Descriptors Privilege Escalation (remote check)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Misc.. The commercial vulnerability scanner Qualys is able to test this issue with plugin 216060 (VMware ESXi 4.1.0 Patch Release ESXi410-201312001 Missing (KB2061210)). The advisory illustrates:
Unpriviledged vCenter Server users or groups that are assigned the predefined role "Virtual Machine Power User" or "Resource Pool Administrator" have the privilege "Add Existing Disk".
Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability. The advisory contains the following remark:
A workaround is provided in VMware Knowledge Base article 2066856. In a default vCenter Server installation no unprivileged users or groups are assigned the predefined role "Virtual Machine Power User" or "Resource Pool Administrator". Restrict the number of vCenter Server users that have the privilege “Add Existing Disk". (...) Deploying these patches does not remediate the issue if the ESXi or ESX file /etc/vmware/configrules has been modified manually (modifying this file is uncommon). Customers who have modified this file should apply the workaround after installing the patch.
The vulnerability is also documented in the databases at X-Force (89938) and Tenable (71774). The entries 11996 and 11997 are related to this item.
Product
Type
Vendor
Name
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.4VulDB Meta Temp Score: 3.9
VulDB Base Score: 4.4
VulDB Temp Score: 3.9
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: FileClass: Access control / File
CWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Local: Yes
Remote: No
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 71774
Nessus Name: ESXi 5.5 < Build 1474526 File Descriptors Privilege Escalation (remote check)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 103863
OpenVAS Name: VMSA-2013-0016 VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Timeline
10/01/2013 🔍12/22/2013 🔍
12/22/2013 🔍
12/22/2013 🔍
12/22/2013 🔍
12/23/2013 🔍
12/23/2013 🔍
12/23/2013 🔍
12/27/2013 🔍
12/31/2013 🔍
06/04/2021 🔍
Sources
Vendor: vmware.comAdvisory: VMSA-2013-0016
Researcher: Shanon Olsson
Organization: JPCERT
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2013-5973 (🔍)
OVAL: 🔍
X-Force: 89938 - VMware ESXi and ESX file descriptors security bypass
SecurityTracker: 1029529
Vulnerability Center: 42675 - VMware ESXi and ESX Local File System Read, Write and Code Execution Vulnerabilities via vCenter Server and ESX, Medium
SecurityFocus: 64491
Secunia: 56235 - VMware ESX Server / ESXi Virtual Machine File Descriptors Security Bypass Vulnerability, Less Critical
OSVDB: 101387
scip Labs: https://www.scip.ch/en/?labs.20060413
See also: 🔍
Entry
Created: 12/27/2013 23:42Updated: 06/04/2021 17:09
Changes: 12/27/2013 23:42 (90), 05/18/2017 08:36 (1), 06/04/2021 17:02 (3), 06/04/2021 17:09 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.