VMware ESX/ESXi up to 4.1/5.1 Windows 32-bit Guest OS lgtosync.sys access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.7 | $0-$5k | 0.00 |
Summary
A vulnerability identified as critical has been detected in VMware ESX and ESXi up to 4.1/5.1. Affected by this vulnerability is an unknown functionality of the file lgtosync.sys of the component Windows 32-bit Guest OS Handler. The manipulation leads to access control. This vulnerability is listed as CVE-2013-3519. There is no available exploit. You should upgrade the affected component.
Details
A vulnerability was found in VMware ESX and ESXi up to 4.1/5.1 (Virtualization Software) and classified as critical. This issue affects some unknown functionality of the file lgtosync.sys of the component Windows 32-bit Guest OS Handler. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
lgtosync.sys in VMware Workstation 9.x before 9.0.3, VMware Player 5.x before 5.0.3, VMware Fusion 5.x before 5.0.4, VMware ESXi 4.0 through 5.1, and VMware ESX 4.0 and 4.1, when a 32-bit Windows guest OS is used, allows guest OS users to gain guest OS privileges via an application that performs a crafted memory allocation.
The weakness was presented 12/03/2013 as VMSA-2013-0014 as confirmed advisory (Website). It is possible to read the advisory at vmware.com. The public release was coordinated in cooperation with VMware. The identification of this vulnerability is CVE-2013-3519 since 05/08/2013. Attacking locally is a requirement. A simple authentication is required for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK. The advisory points out:
VMware ESX, Workstation and Fusion contain a vulnerability in the handling of control code in lgtosync.sys. A local malicious user may exploit this vulnerability to manipulate the memory allocation. This could result in a privilege escalation on 32-bit Guest Operating Systems running Windows 2000 Server, Windows XP or Windows 2003 Server on ESXi and ESX; or Windows XP on Workstation and Fusion. The vulnerability does not allow for privilege escalation from the Guest Operating System to the host. This means that host memory can not be manipulated from the Guest Operating System.
The vulnerability scanner Nessus provides a plugin with the ID 71214 (VMSA-2013-0014 : VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation), which helps to determine the existence of the flaw in a target environment. It is assigned to the family VMware ESX Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 216048 (VMWare ESXi 5.0.0 Patch Release ESXi500-201303001 Missing (KB2044373)).
Upgrading to version 4.1 or 5.1 eliminates this vulnerability. The upgrade is hosted for download at vmware.com. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (89416), Tenable (71214), SecurityFocus (BID 64075†), OSVDB (100514†) and Secunia (SA55684†). vmware.com is providing further details. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.vmware.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.0VulDB Meta Temp Score: 6.7
VulDB Base Score: 7.0
VulDB Temp Score: 6.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 71214
Nessus Name: VMSA-2013-0014 : VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 103851
OpenVAS Name: VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: ESX/ESXi 4.1/5.1
Timeline
02/08/2013 🔍05/08/2013 🔍
12/03/2013 🔍
12/03/2013 🔍
12/04/2013 🔍
12/04/2013 🔍
12/04/2013 🔍
12/05/2013 🔍
12/23/2013 🔍
06/02/2021 🔍
Sources
Vendor: vmware.comAdvisory: VMSA-2013-0014
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2013-3519 (🔍)
GCVE (CVE): GCVE-0-2013-3519
GCVE (VulDB): GCVE-100-11363
OVAL: 🔍
IAVM: 🔍
X-Force: 89416
SecurityFocus: 64075
Secunia: 55684 - VMware Multiple Products LGTOSYNC Guest Privilege Escalation Vulnerability, Not Critical
OSVDB: 100514
Vulnerability Center: 42674 - VMware Workstation, Player, Fusion, ESXi and ESX Servers Remote Security Bypass via a Crafted Application, High
scip Labs: https://www.scip.ch/en/?labs.20060413
Misc.: 🔍
Entry
Created: 12/05/2013 09:18Updated: 06/02/2021 15:36
Changes: 12/05/2013 09:18 (90), 05/18/2017 08:35 (1), 06/02/2021 15:36 (3)
Complete: 🔍
Cache ID: 216:6C4:103
No comments yet. Languages: en.
Please log in to comment.