Search...

VMware Fusion 5.x < 5.0.4 LGTOSYNC.SYS Privilege Escalation (VMSA-2013-0014)

2013-12-05T00:00:00

ID MACOSX_FUSION_5_0_4.NASL
Type nessus
Reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2019-11-27T00:00:00

Description

The version of VMware Fusion 5.x installed on the remote Mac OS X host is prior to 5.0.4. It is, therefore, reportedly affected by a privilege escalation vulnerability in the LGTOSYNC.SYS driver on 32-bit Guest Operating Systems running Windows XP.

Note that by exploiting this issue, a local attacker could elevate his privileges only on the Guest Operating System and not on the host.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#




include("compat.inc");

if (description)
{
  script_id(71230);
  script_version("1.5");
  script_cvs_date("Date: 2019/11/27");

  script_cve_id("CVE-2013-3519");
  script_bugtraq_id(64075);
  script_xref(name:"VMSA", value:"2013-0014");

  script_name(english:"VMware Fusion 5.x &lt; 5.0.4 LGTOSYNC.SYS Privilege Escalation (VMSA-2013-0014)");
  script_summary(english:"Checks version of Fusion");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a virtualization application that is affected by a
privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of VMware Fusion 5.x installed on the remote Mac OS X host
is prior to 5.0.4.  It is, therefore, reportedly affected by a privilege
escalation vulnerability in the LGTOSYNC.SYS driver on 32-bit Guest
Operating Systems running Windows XP. 

Note that by exploiting this issue, a local attacker could elevate his
privileges only on the Guest Operating System and not on the host.");
  script_set_attribute(attribute:"solution", value:
"Upgrade to VMware Fusion 5.0.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-3519");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/12/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/11/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:fusion");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_fusion_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "MacOSX/Fusion/Version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

get_kb_item_or_exit("Host/local_checks_enabled");

os = get_kb_item("Host/MacOSX/Version");
if (!os) audit(AUDIT_OS_NOT, "Mac OS X");

version = get_kb_item_or_exit("MacOSX/Fusion/Version");
path = get_kb_item_or_exit("MacOSX/Fusion/Path");

fixed_version = '5.0.4';
if (
  version =~ "^5\." &&
  ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1
)
{
  if (report_verbosity &gt; 0)
  {
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fixed_version + '\n';
    security_hole(port:0, extra:report);
  }
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, "VMware Fusion", version, path);

JSON Vulners Source

Initial Source

{"id": "MACOSX_FUSION_5_0_4.NASL", "type": "nessus", "bulletinFamily": "scanner", "title": "VMware Fusion 5.x < 5.0.4 LGTOSYNC.SYS Privilege Escalation (VMSA-2013-0014)", "description": "The version of VMware Fusion 5.x installed on the remote Mac OS X host is prior to 5.0.4. It is, therefore, reportedly affected by a privilege escalation vulnerability in the LGTOSYNC.SYS driver on 32-bit Guest Operating Systems running Windows XP. \n\nNote that by exploiting this issue, a local attacker could elevate his privileges only on the Guest Operating System and not on the host.", "published": "2013-12-05T00:00:00", "modified": "2019-11-27T00:00:00", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": null, "vector": null}, "href": "https://www.tenable.com/plugins/nessus/71230", "reporter": "This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3519"], "cvelist": ["CVE-2013-3519"], "immutableFields": [], "lastseen": "2021-08-19T12:52:06", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-3519"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/VMSA-2013-0014-CVE-2013-3519/"]}, {"type": "nessus", "idList": ["VMWARE_ESXI_5_0_BUILD_1022489_REMOTE.NASL", "VMWARE_ESX_VMSA-2013-0014_REMOTE.NASL", "VMWARE_PLAYER_PRIV_ESC_VMSA_2013_0014.NASL", "VMWARE_VMSA-2013-0014.NASL", "VMWARE_WORKSTATION_LINUX_9_0_3.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:103850", "OPENVAS:103851", "OPENVAS:1361412562310103850", "OPENVAS:1361412562310103851"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30067", "SECURITYVULNS:VULN:13443"]}, {"type": "vmware", "idList": ["VMSA-2013-0014"]}], "rev": 4}, "score": {"value": 6.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2013-3519"]}, {"type": "nessus", "idList": ["VMWARE_VMSA-2013-0014.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:103851"]}, {"type": "vmware", "idList": ["VMSA-2013-0014"]}]}, "exploitation": null, "vulnersScore": 6.6}, "pluginID": "71230", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71230);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/27\");\n\n script_cve_id(\"CVE-2013-3519\");\n script_bugtraq_id(64075);\n script_xref(name:\"VMSA\", value:\"2013-0014\");\n\n script_name(english:\"VMware Fusion 5.x < 5.0.4 LGTOSYNC.SYS Privilege Escalation (VMSA-2013-0014)\");\n script_summary(english:\"Checks version of Fusion\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization application that is affected by a\nprivilege escalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Fusion 5.x installed on the remote Mac OS X host\nis prior to 5.0.4. It is, therefore, reportedly affected by a privilege\nescalation vulnerability in the LGTOSYNC.SYS driver on 32-bit Guest\nOperating Systems running Windows XP. \n\nNote that by exploiting this issue, a local attacker could elevate his\nprivileges only on the Guest Operating System and not on the host.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Fusion 5.0.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-3519\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:fusion\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_fusion_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"MacOSX/Fusion/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Fusion/Version\");\npath = get_kb_item_or_exit(\"MacOSX/Fusion/Path\");\n\nfixed_version = '5.0.4';\nif (\n version =~ \"^5\\.\" &&\n ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"VMware Fusion\", version, path);\n", "naslFamily": "MacOS X Local Security Checks", "cpe": ["cpe:/a:vmware:fusion"], "solution": "Upgrade to VMware Fusion 5.0.4 or later.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2013-3519", "vpr": {"risk factor": "Medium", "score": "6"}, "exploitAvailable": false, "exploitEase": "No known exploits are available", "patchPublicationDate": "2013-11-14T00:00:00", "vulnerabilityPublicationDate": "2013-12-03T00:00:00", "exploitableWith": [], "_state": {"dependencies": 1647589307, "score": 0}}

{"openvas": [{"lastseen": "2017-07-02T21:11:22", "description": "VMware Workstation, Fusion, ESXi and ESX patches\naddress a vulnerability in the LGTOSYNC.SYS driver which could result\nin a privilege escalation on older Windows-based Guest Operating\nSystems.", "cvss3": {}, "published": "2013-12-05T00:00:00", "type": "openvas", "title": "VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-3519"], "modified": "2017-05-05T00:00:00", "id": "OPENVAS:103851", "href": "http://plugins.openvas.org/nasl.php?oid=103851", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_VMSA-2013-0014.nasl 6074 2017-05-05 09:03:14Z teissa $\n#\n# VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"VMware Workstation, Fusion, ESXi and ESX patches\naddress a vulnerability in the LGTOSYNC.SYS driver which could result\nin a privilege escalation on older Windows-based Guest Operating\nSystems. \";\n\ntag_solution = \"Apply the missing patch(es).\";\n\ntag_affected = \"VMware Workstation 9.x prior to version 9.0.3\nVMware Player 5.x prior to version 5.0.3\nVMware Fusion 5.x prior to version 5.0.4\n\nVMware ESXi 5.1 without patch ESXi510-201304102\nVMware ESXi 5.0 without patch ESXi500-201303102\nVMware ESXi 4.1 without patch ESXi410-201301402\nVMware ESXi 4.0 without patch ESXi400-201305401\n\nVMware ESX 4.1 without patch ESX410-201301401\nVMware ESX 4.0 without patch ESX400-201305401\";\n\ntag_vuldetect = \"Checks for missing patches.\";\n\ntag_insight = \"a. VMware LGTOSYNC privilege escalation.\n\nVMware ESX, Workstation and Fusion contain a vulnerability in the\nhandling of control code in lgtosync.sys. A local malicious user may\nexploit this vulnerability to manipulate the memory allocation. This\ncould result in a privilege escalation on 32-bit Guest Operating\nSystems running Windows 2000 Server, Windows XP or Windows 2003 Server\non ESXi and ESX; or Windows XP on Workstation and Fusion.\n\nThe vulnerability does not allow for privilege escalation from the\nGuest Operating System to the host. This means that host memory can\nnot be manipulated from the Guest Operating System. \";\n\nif (description)\n{\n script_id(103851);\n script_cve_id(\"CVE-2013-3519\");\n script_tag(name:\"cvss_base\", value:\"7.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_version (\"$Revision: 6074 $\");\n script_name(\"VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation\");\n\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2013-0014.html\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-05 11:03:14 +0200 (Fri, 05 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-05 11:04:01 +0100 (Thu, 05 Dec 2013)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\",\"VMware/ESX/version\");\n\n script_tag(name : \"vuldetect\" , value : tag_vuldetect);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n\n}\n\ninclude(\"vmware_esx.inc\");\ninclude(\"version_func.inc\");\n\nif(!get_kb_item('VMware/ESXi/LSC'))exit(0);\nif(!esxVersion = get_kb_item(\"VMware/ESX/version\"))exit(0);\n\npatches = make_array(\"4.0.0\",\"ESXi400-201305401-SG\",\n \"4.1.0\",\"ESXi410-201301401-SG\",\n \"5.0.0\",\"VIB:tools-light:5.0.0-2.29.1022489\",\n \"5.1.0\",\"VIB:tools-light:5.1.0-0.11.1063671\");\n\nif(!patches[esxVersion])exit(0);\n\nif(_esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n\n security_message(port:0);\n exit(0);\n\n}\n\nexit(99);\n\n", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-12-19T16:08:05", "description": "VMware Workstation, Fusion, ESXi and ESX patches\n address a vulnerability in the LGTOSYNC.SYS driver which could result\n in a privilege escalation on older Windows-based Guest Operating Systems.", "cvss3": {}, "published": "2013-12-05T00:00:00", "type": "openvas", "title": "VMware ESXi/ESX patches a guest privilege escalation (VMSA-2013-0014)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-3519"], "modified": "2019-12-18T00:00:00", "id": "OPENVAS:1361412562310103851", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103851", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103851\");\n script_cve_id(\"CVE-2013-3519\");\n script_tag(name:\"cvss_base\", value:\"7.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-18T11:13:08+0000\");\n script_name(\"VMware ESXi/ESX patches a guest privilege escalation (VMSA-2013-0014)\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2013-0014.html\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-18 11:13:08 +0000 (Wed, 18 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-12-05 11:04:01 +0100 (Thu, 05 Dec 2013)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\", \"VMware/ESX/version\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if the target host is missing one or more patch(es).\");\n\n script_tag(name:\"insight\", value:\"a. VMware LGTOSYNC privilege escalation.\n\n VMware ESX, Workstation and Fusion contain a vulnerability in the\n handling of control code in lgtosync.sys. A local malicious user may\n exploit this vulnerability to manipulate the memory allocation. This\n could result in a privilege escalation on 32-bit Guest Operating\n Systems running Windows 2000 Server, Windows XP or Windows 2003 Server\n on ESXi and ESX, or Windows XP on Workstation and Fusion.\n\n The vulnerability does not allow for privilege escalation from the\n Guest Operating System to the host. This means that host memory can\n not be manipulated from the Guest Operating System.\");\n\n script_tag(name:\"solution\", value:\"Apply the missing patch(es).\");\n\n script_tag(name:\"summary\", value:\"VMware Workstation, Fusion, ESXi and ESX patches\n address a vulnerability in the LGTOSYNC.SYS driver which could result\n in a privilege escalation on older Windows-based Guest Operating Systems.\");\n\n script_tag(name:\"affected\", value:\"VMware ESXi 5.1 without patch ESXi510-201304102\n\n VMware ESXi 5.0 without patch ESXi500-201303102\n\n VMware ESXi 4.1 without patch ESXi410-201301402\n\n VMware ESXi 4.0 without patch ESXi400-201305401\n\n VMware ESX 4.1 without patch ESX410-201301401\n\n VMware ESX 4.0 without patch ESX400-201305401\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"vmware_esx.inc\");\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/ESXi/LSC\"))\n exit(0);\n\nif(!esxVersion = get_kb_item(\"VMware/ESX/version\"))\n exit(0);\n\npatches = make_array(\"4.0.0\", \"ESXi400-201305401-SG\",\n \"4.1.0\", \"ESXi410-201301401-SG\",\n \"5.0.0\", \"VIB:tools-light:5.0.0-2.29.1022489\",\n \"5.1.0\", \"VIB:tools-light:5.1.0-0.11.1063671\");\n\nif(!patches[esxVersion])\n exit(99);\n\nif(report = esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:11:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-3519"], "description": "VMware Workstation, Fusion, ESXi and ESX patches\naddress a vulnerability in the LGTOSYNC.SYS driver which could result\nin a privilege escalation on older Windows-based Guest Operating\nSystems.", "modified": "2017-05-10T00:00:00", "published": "2013-12-04T00:00:00", "id": "OPENVAS:103850", "href": "http://plugins.openvas.org/nasl.php?oid=103850", "type": "openvas", "title": "VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation (remote check)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_VMSA-2013-0014_remote.nasl 6093 2017-05-10 09:03:18Z teissa $\n#\n# VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation (remote check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"VMware Workstation, Fusion, ESXi and ESX patches\naddress a vulnerability in the LGTOSYNC.SYS driver which could result\nin a privilege escalation on older Windows-based Guest Operating\nSystems. \";\n\ntag_solution = \"Apply the missing patch(es).\";\n\ntag_affected = \"VMware Workstation 9.x prior to version 9.0.3\nVMware Player 5.x prior to version 5.0.3\nVMware Fusion 5.x prior to version 5.0.4\n\nVMware ESXi 5.1 without patch ESXi510-201304102\nVMware ESXi 5.0 without patch ESXi500-201303102\nVMware ESXi 4.1 without patch ESXi410-201301402\nVMware ESXi 4.0 without patch ESXi400-201305401\n\nVMware ESX 4.1 without patch ESX410-201301401\nVMware ESX 4.0 without patch ESX400-201305401\";\n\ntag_vuldetect = \"Check the build number.\";\n\ntag_insight = \"a. VMware LGTOSYNC privilege escalation.\n\nVMware ESX, Workstation and Fusion contain a vulnerability in the\nhandling of control code in lgtosync.sys. A local malicious user may\nexploit this vulnerability to manipulate the memory allocation. This\ncould result in a privilege escalation on 32-bit Guest Operating\nSystems running Windows 2000 Server, Windows XP or Windows 2003 Server\non ESXi and ESX; or Windows XP on Workstation and Fusion.\n\nThe vulnerability does not allow for privilege escalation from the\nGuest Operating System to the host. This means that host memory can\nnot be manipulated from the Guest Operating System. \";\n\nif (description)\n{\n script_id(103850);\n script_cve_id(\"CVE-2013-3519\");\n script_tag(name:\"cvss_base\", value:\"7.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_version (\"$Revision: 6093 $\");\n script_name(\"VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation (remote check)\");\n\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2013-0014.html\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-10 11:03:18 +0200 (Wed, 10 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-04 10:04:01 +0100 (Wed, 04 Dec 2013)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esx_web_detect.nasl\");\n script_mandatory_keys(\"VMware/ESX/build\",\"VMware/ESX/version\");\n\n script_tag(name : \"vuldetect\" , value : tag_vuldetect);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n\n}\n\ninclude(\"vmware_esx.inc\");\n\nif(!esxVersion = get_kb_item(\"VMware/ESX/version\"))exit(0);\nif(!esxBuild = get_kb_item(\"VMware/ESX/build\"))exit(0);\n\nfixed_builds = make_array(\"5.0.0\",\"1022489\",\n \"5.1.0\",\"1063671\");\n\nif(!fixed_builds[esxVersion])exit(0);\n\nif(int(esxBuild) < int(fixed_builds[esxVersion])) {\n security_message(port:0, data: esxi_remote_report(ver:esxVersion, build: esxBuild, fixed_build: fixed_builds[esxVersion]));\n exit(0);\n} \n\nexit(99);\n\n\n\n\n\n\n", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:05", "description": "VMware Workstation, Fusion, ESXi and ESX patches\n address a vulnerability in the LGTOSYNC.SYS driver which could result\n in a privilege escalation on older Windows-based Guest Operating Systems.", "cvss3": {}, "published": "2013-12-04T00:00:00", "type": "openvas", "title": "VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation (remote check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-3519"], "modified": "2019-03-14T00:00:00", "id": "OPENVAS:1361412562310103850", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103850", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_VMSA-2013-0014_remote.nasl 14186 2019-03-14 13:57:54Z cfischer $\n#\n# VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation (remote check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103850\");\n script_cve_id(\"CVE-2013-3519\");\n script_tag(name:\"cvss_base\", value:\"7.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 14186 $\");\n script_name(\"VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation (remote check)\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2013-0014.html\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 14:57:54 +0100 (Thu, 14 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-04 10:04:01 +0100 (Wed, 04 Dec 2013)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esx_web_detect.nasl\");\n script_mandatory_keys(\"VMware/ESX/build\", \"VMware/ESX/version\");\n\n script_tag(name:\"vuldetect\", value:\"Check the build number.\");\n\n script_tag(name:\"insight\", value:\"a. VMware LGTOSYNC privilege escalation.\n\nVMware ESX, Workstation and Fusion contain a vulnerability in the\nhandling of control code in lgtosync.sys. A local malicious user may\nexploit this vulnerability to manipulate the memory allocation. This\ncould result in a privilege escalation on 32-bit Guest Operating\nSystems running Windows 2000 Server, Windows XP or Windows 2003 Server\non ESXi and ESX, or Windows XP on Workstation and Fusion.\n\nThe vulnerability does not allow for privilege escalation from the\nGuest Operating System to the host. This means that host memory can\nnot be manipulated from the Guest Operating System.\");\n\n script_tag(name:\"solution\", value:\"Apply the missing patch(es).\");\n\n script_tag(name:\"summary\", value:\"VMware Workstation, Fusion, ESXi and ESX patches\n address a vulnerability in the LGTOSYNC.SYS driver which could result\n in a privilege escalation on older Windows-based Guest Operating Systems.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation 9.x prior to version 9.0.3\n\n VMware Player 5.x prior to version 5.0.3\n\n VMware Fusion 5.x prior to version 5.0.4\n\n VMware ESXi 5.1 without patch ESXi510-201304102\n\n VMware ESXi 5.0 without patch ESXi500-201303102\n\n VMware ESXi 4.1 without patch ESXi410-201301402\n\n VMware ESXi 4.0 without patch ESXi400-201305401\n\n VMware ESX 4.1 without patch ESX410-201301401\n\n VMware ESX 4.0 without patch ESX400-201305401\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"vmware_esx.inc\");\n\nif(!esxVersion = get_kb_item(\"VMware/ESX/version\"))exit(0);\nif(!esxBuild = get_kb_item(\"VMware/ESX/build\"))exit(0);\n\nfixed_builds = make_array(\"5.0.0\",\"1022489\",\n \"5.1.0\",\"1063671\");\n\nif(!fixed_builds[esxVersion])exit(0);\n\nif(int(esxBuild) < int(fixed_builds[esxVersion])) {\n security_message(port:0, data: esxi_remote_report(ver:esxVersion, build: esxBuild, fixed_build: fixed_builds[esxVersion]));\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-08-19T12:43:11", "description": "The remote VMware ESX / ESXi host is missing a security-related patch.\nIt is, therefore, affected by a privilege escalation vulnerability due to improper handling of control code in the lgtosync.sys driver. A local attacker can exploit this escalate privileges on Windows-based 32-bit guest operating systems.", "cvss3": {"score": null, "vector": null}, "published": "2016-03-04T00:00:00", "type": "nessus", "title": "VMware ESX / ESXi Guest OS Local Privilege Escalation (VMSA-2013-0014) (remote check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-3519"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:vmware:esx", "cpe:/o:vmware:esxi"], "id": "VMWARE_ESX_VMSA-2013-0014_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/89669", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89669);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2013-3519\");\n script_bugtraq_id(64075);\n script_xref(name:\"VMSA\", value:\"2013-0014\");\n\n script_name(english:\"VMware ESX / ESXi Guest OS Local Privilege Escalation (VMSA-2013-0014) (remote check)\");\n script_summary(english:\"Checks the version and build numbers of the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESX / ESXi host is missing a security-related patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESX / ESXi host is missing a security-related patch.\nIt is, therefore, affected by a privilege escalation vulnerability due\nto improper handling of control code in the lgtosync.sys driver. A\nlocal attacker can exploit this escalate privileges on Windows-based\n32-bit guest operating systems.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2013-0014.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory that\npertains to ESX version 4.0 / 4.1 or ESXi version 4.0 / 4.1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Host/VMware/vsphere\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\nport = get_kb_item_or_exit(\"Host/VMware/vsphere\");\nesx = '';\nbuild = 0;\nfix = FALSE;\n\nif (\"ESX\" >!< rel)\n audit(AUDIT_OS_NOT, \"VMware ESX/ESXi\");\n\nextract = eregmatch(pattern:\"^(ESXi?) (\\d\\.\\d).*$\", string:ver);\nif (empty_or_null(extract))\n audit(AUDIT_UNKNOWN_APP_VER, \"VMware ESX/ESXi\");\n\nesx = extract[1];\nver = extract[2];\n\nextract = eregmatch(pattern:'^VMware ESXi?.* build-([0-9]+)$', string:rel);\nif (isnull(extract))\n audit(AUDIT_UNKNOWN_BUILD, \"VMware \" + esx, ver);\n\nbuild = int(extract[1]);\n\nfixes = make_array(\n \"4.0\", 1070634,\n \"4.1\", 988178\n);\n\nfix = fixes[ver];\n\nif (!fix)\n audit(AUDIT_INST_VER_NOT_VULN, esx, ver, build);\n\nif (build < fix)\n{\n report = '\\n Version : ' + esx + \" \" + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n exit(0);\n}\nelse\n audit(AUDIT_INST_VER_NOT_VULN, \"VMware \" + esx, ver, build);\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:51:52", "description": "a. VMware LGTOSYNC privilege escalation.\n\n VMware ESX, Workstation and Fusion contain a vulnerability in the handling of control code in lgtosync.sys. A local malicious user may exploit this vulnerability to manipulate the memory allocation. This could result in a privilege escalation on 32-bit Guest Operating Systems running Windows 2000 Server, Windows XP or Windows 2003 Server on ESXi and ESX; or Windows XP on Workstation and Fusion.\n\n The vulnerability does not allow for privilege escalation from the Guest Operating System to the host. This means that host memory can not be manipulated from the Guest Operating System.\n\n VMware would like to thank Derek Soeder of Cylance, Inc. for reporting this issue to us. \n\n The Common Vulnerabilityies and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3519 to this issue.", "cvss3": {"score": null, "vector": null}, "published": "2013-12-04T00:00:00", "type": "nessus", "title": "VMSA-2013-0014 : VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-3519"], "modified": "2021-01-06T00:00:00", "cpe": ["cpe:/o:vmware:esx:4.0", "cpe:/o:vmware:esx:4.1", "cpe:/o:vmware:esxi:4.0", "cpe:/o:vmware:esxi:4.1", "cpe:/o:vmware:esxi:5.0", "cpe:/o:vmware:esxi:5.1"], "id": "VMWARE_VMSA-2013-0014.NASL", "href": "https://www.tenable.com/plugins/nessus/71214", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2013-0014. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(71214);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2013-3519\");\n script_bugtraq_id(64075);\n script_xref(name:\"VMSA\", value:\"2013-0014\");\n\n script_name(english:\"VMSA-2013-0014 : VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation\");\n script_summary(english:\"Checks esxupdate output for the patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote VMware ESXi / ESX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"a. VMware LGTOSYNC privilege escalation.\n\n VMware ESX, Workstation and Fusion contain a vulnerability \n in the handling of control code in lgtosync.sys. A local \n malicious user may exploit this vulnerability to manipulate the \n memory allocation. This could result in a privilege \n escalation on 32-bit Guest Operating Systems running Windows 2000\n Server, Windows XP or Windows 2003 Server on ESXi and ESX; or \n Windows XP on Workstation and Fusion.\n\n The vulnerability does not allow for privilege escalation\n from the Guest Operating System to the host. This means \n that host memory can not be manipulated from the Guest \n Operating System.\n\n VMware would like to thank Derek Soeder of Cylance, Inc. for \n reporting this issue to us. \n\n The Common Vulnerabilityies and Exposures project (cve.mitre.org)\n has assigned the name CVE-2013-3519 to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2013/000226.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:5.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2013-12-03\");\nflag = 0;\n\n\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-201305401-SG\",\n patch_updates : make_list(\"ESX400-201310401-SG\", \"ESX400-201404401-SG\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201301401-SG\",\n patch_updates : make_list(\"ESX410-201304401-SG\", \"ESX410-201307401-SG\", \"ESX410-201312401-SG\", \"ESX410-201404401-SG\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESXi 4.0\",\n patch : \"ESXi400-201305401-SG\",\n patch_updates : make_list(\"ESXi400-201310401-SG\", \"ESXi400-201404401-SG\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESXi 4.1\",\n patch : \"ESXi410-201301401-SG\",\n patch_updates : make_list(\"ESXi410-201304401-SG\", \"ESXi410-201307401-SG\", \"ESXi410-201312401-SG\", \"ESXi410-201404401-SG\")\n )\n) flag++;\n\nif (esx_check(ver:\"ESXi 5.0\", vib:\"VMware:tools-light:5.0.0-2.29.1022489\")) flag++;\n\nif (esx_check(ver:\"ESXi 5.1\", vib:\"VMware:tools-light:5.1.0-0.11.1063671\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:51:55", "description": "The installed version of VMware Player 5.x running on Windows is earlier than 5.0.3. It therefore reportedly contains a vulnerability in its handling in the LGTOSYNC.SYS driver. This issue could allow a local, malicious user to escalate privileges on 32-bit Guest Operating Systems running Windows XP. \n\nNote that by exploiting this issue, a local attacker could elevate his privileges only on the Guest OS and not on the host.", "cvss3": {"score": null, "vector": null}, "published": "2013-12-05T00:00:00", "type": "nessus", "title": "VMware Player 5.x < 5.0.3 LGTOSYNC.SYS Guest Privilege Escalation (VMSA-2013-0014)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-3519"], "modified": "2019-11-27T00:00:00", "cpe": ["cpe:/a:vmware:player"], "id": "VMWARE_PLAYER_PRIV_ESC_VMSA_2013_0014.NASL", "href": "https://www.tenable.com/plugins/nessus/71231", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71231);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/27\");\n\n script_cve_id(\"CVE-2013-3519\");\n script_bugtraq_id(64075);\n script_xref(name:\"VMSA\", value:\"2013-0014\");\n\n script_name(english:\"VMware Player 5.x < 5.0.3 LGTOSYNC.SYS Guest Privilege Escalation (VMSA-2013-0014)\");\n script_summary(english:\"Checks VMware Player version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains software with a known, local privilege\nescalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of VMware Player 5.x running on Windows is\nearlier than 5.0.3. It therefore reportedly contains a vulnerability in\nits handling in the LGTOSYNC.SYS driver. This issue could allow a\nlocal, malicious user to escalate privileges on 32-bit Guest Operating\nSystems running Windows XP. \n\nNote that by exploiting this issue, a local attacker could elevate his\nprivileges only on the Guest OS and not on the host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2013-0014.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to VMware Player 5.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-3519\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_player_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"VMware/Player/Path\", \"VMware/Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nversion = get_kb_item_or_exit(\"VMware/Player/Version\");\npath = get_kb_item_or_exit(\"VMware/Player/Path\");\n\nfixed = '5.0.3';\nif (\n ver_compare(ver:version, fix:'5.0.0', strict:FALSE) >= 0 &&\n ver_compare(ver:version, fix:fixed, strict:FALSE) == -1\n)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"VMware Player\", version, path);\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:52:18", "description": "The installed version of VMware Workstation 9.x is prior to 9.0.3. It is, therefore, affected by multiple local privilege escalation vulnerabilities :\n\n - An issue exists in the handling of shared libraries that could allow a local, malicious user to escalate privileges on Linux hosts. (CVE-2013-5972 / VMSA-2013-0013)\n\n - An issue exists in the handling of the LGTOSYNC.SYS driver on Windows hosts that could allow a local, malicious user to escalate privileges on 32-bit Guest Operating Systems running Windows XP. Note that by exploiting this issue, a local attacker could elevate his privileges only on the Guest Operating System and not on the host. (CVE-2013-3519 / VMSA-2013-0014)", "cvss3": {"score": null, "vector": null}, "published": "2013-11-22T00:00:00", "type": "nessus", "title": "VMware Workstation 9.x < 9.0.3 Multiple Privilege Escalation Vulnerabilities (VMSA-2013-0013 / VMSA-2013-0014)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-3519", "CVE-2013-5972"], "modified": "2020-09-21T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_LINUX_9_0_3.NASL", "href": "https://www.tenable.com/plugins/nessus/71054", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71054);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\"CVE-2013-3519\", \"CVE-2013-5972\");\n script_bugtraq_id(63739, 64075);\n script_xref(name:\"VMSA\", value:\"2013-0013\");\n script_xref(name:\"VMSA\", value:\"2013-0014\");\n\n script_name(english:\"VMware Workstation 9.x < 9.0.3 Multiple Privilege Escalation Vulnerabilities (VMSA-2013-0013 / VMSA-2013-0014)\");\n script_summary(english:\"Checks VMware Workstation version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains software with known, local privilege\nescalation vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of VMware Workstation 9.x is prior to 9.0.3. It\nis, therefore, affected by multiple local privilege escalation\nvulnerabilities :\n\n - An issue exists in the handling of shared libraries\n that could allow a local, malicious user to escalate\n privileges on Linux hosts. (CVE-2013-5972 /\n VMSA-2013-0013)\n\n - An issue exists in the handling of the LGTOSYNC.SYS\n driver on Windows hosts that could allow a local,\n malicious user to escalate privileges on 32-bit Guest\n Operating Systems running Windows XP. Note that by\n exploiting this issue, a local attacker could elevate\n his privileges only on the Guest Operating System and\n not on the host. (CVE-2013-3519 / VMSA-2013-0014)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2013-0013.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2013-0014.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to VMware Workstation 9.0.3 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-3519\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/11/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_linux_installed.nbin\");\n script_require_keys(\"Host/VMware Workstation/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/VMware Workstation/Version\");\nfixed = '9.0.3';\n\n# 9.x < 9.0.3\nif (\n ver_compare(ver:version, fix:'9.0.0', strict:FALSE) >= 0 &&\n ver_compare(ver:version, fix:fixed, strict:FALSE) == -1\n)\n{\n if (report_verbosity > 0)\n {\n report +=\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware Workstation\", version);\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:52:22", "description": "The remote VMware ESXi 5.0 host is affected by the following vulnerabilities :\n\n - An off-by-one overflow condition exists in the xmlXPtrEvalXPtrPart() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted XML file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2011-3102)\n\n - Multiple integer overflow conditions exist due to improper validation of user-supplied input when handling overly long strings. An unauthenticated, remote attacker can exploit this, via a specially crafted XML file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2012-2807)\n\n - A heap-based underflow condition exists in the bundled libxml2 library due to incorrect parsing of strings not containing an expected space. A remote attacker can exploit this, via a specially crafted XML document, to cause a denial of service condition or the execution of arbitrary code. (CVE-2012-5134)\n\n - A privilege escalation vulnerability exists due to improper handling of control code in the lgtosync.sys driver. A local attacker can exploit this escalate privileges on Windows-based 32-bit guest operating systems. (CVE-2013-3519)", "cvss3": {"score": null, "vector": null}, "published": "2013-11-13T00:00:00", "type": "nessus", "title": "ESXi 5.0 < Build 1022489 Multiple Vulnerabilities (remote check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3102", "CVE-2012-2807", "CVE-2012-5134", "CVE-2013-3519"], "modified": "2019-11-27T00:00:00", "cpe": ["cpe:/o:vmware:esxi"], "id": "VMWARE_ESXI_5_0_BUILD_1022489_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/70877", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70877);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/11/27\");\n\n script_cve_id(\n \"CVE-2011-3102\",\n \"CVE-2012-2807\",\n \"CVE-2012-5134\",\n \"CVE-2013-3519\"\n );\n script_bugtraq_id(\n 53540,\n 54718,\n 56684,\n 64075\n );\n script_xref(name:\"VMSA\", value:\"2013-0001\");\n script_xref(name:\"VMSA\", value:\"2013-0004\");\n script_xref(name:\"VMSA\", value:\"2013-0014\");\n\n script_name(english:\"ESXi 5.0 < Build 1022489 Multiple Vulnerabilities (remote check)\");\n script_summary(english:\"Checks ESXi version and build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi 5.0 host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESXi 5.0 host is affected by the following\nvulnerabilities :\n\n - An off-by-one overflow condition exists in the\n xmlXPtrEvalXPtrPart() function due to improper\n validation of user-supplied input. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted XML file, to cause a denial of service condition\n or the execution of arbitrary code. (CVE-2011-3102)\n\n - Multiple integer overflow conditions exist due to\n improper validation of user-supplied input when handling\n overly long strings. An unauthenticated, remote\n attacker can exploit this, via a specially crafted XML\n file, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2012-2807)\n\n - A heap-based underflow condition exists in the bundled\n libxml2 library due to incorrect parsing of strings not\n containing an expected space. A remote attacker can\n exploit this, via a specially crafted XML document, to\n cause a denial of service condition or the execution of\n arbitrary code. (CVE-2012-5134)\n\n - A privilege escalation vulnerability exists due to\n improper handling of control code in the lgtosync.sys\n driver. A local attacker can exploit this escalate\n privileges on Windows-based 32-bit guest operating\n systems. (CVE-2013-3519)\");\n # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2044378\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bac4c6a1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2013-0001.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2013-0004.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2013-0014.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply patch ESXi500-201303101-SG.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-3519\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/11/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is (C) 2013-2019 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\n\nif (\"ESXi\" >!< rel) audit(AUDIT_OS_NOT, \"ESXi\");\nif (\"VMware ESXi 5.0\" >!< rel) audit(AUDIT_OS_NOT, \"ESXi 5.0\");\n\nmatch = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);\nif (isnull(match)) exit(1, 'Failed to extract the ESXi build number.');\n\nbuild = int(match[1]);\nfixed_build = 1022489;\n\nif (build < fixed_build)\n{\n if (report_verbosity > 0)\n {\n report = '\\n ESXi version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse exit(0, \"The host has \"+ver+\" build \"+build+\" and thus is not affected.\");\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2021-06-08T13:56:02", "description": "\n", "edition": 2, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "VMSA-2013-0014: VMware LGTOSYNC privilege escalation. (CVE-2013-3519)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.9, "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-3519"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/VMSA-2013-0014-CVE-2013-3519/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "cvelist": ["CVE-2013-3519"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -----------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2013-0014\r\nSynopsis: VMware Workstation, Fusion, ESXi and ESX patches \r\n address a guest privilege escalation\r\nIssue date: 2013-12-03\r\nUpdated on: 2013-12-03 (initial advisory)\r\nCVE number: CVE-2013-3519\r\n- -----------------------------------------------------------------------\r\n\r\n1. Summary\r\n\r\n VMware Workstation, Fusion, ESXi and ESX patches address a \r\n vulnerability in the LGTOSYNC.SYS driver which could result in a\r\n privilege escalation on older Windows-based Guest Operating Systems.\r\n\r\n2. Relevant releases\r\n\r\n VMware Workstation 9.x prior to version 9.0.3 \r\n \r\n VMware Player 5.x prior to version 5.0.3\r\n\r\n VMware Fusion 5.x prior to version 5.0.4\r\n\r\n VMware ESXi 5.1 without patch ESXi510-201304102\r\n VMware ESXi 5.0 without patch ESXi500-201303102\r\n VMware ESXi 4.1 without patch ESXi410-201301402\r\n VMware ESXi 4.0 without patch ESXi400-201305401\r\n\r\n VMware ESX 4.1 without patch ESX410-201301401\r\n VMware ESX 4.0 without patch ESX400-201305401\r\n\r\n\r\n3. Problem Description\r\n\r\n a. VMware LGTOSYNC privilege escalation.\r\n\r\n VMware ESX, Workstation and Fusion contain a vulnerability \r\n in the handling of control code in lgtosync.sys. A local \r\n malicious user may exploit this vulnerability to manipulate the \r\n memory allocation. This could result in a privilege \r\n escalation on 32-bit Guest Operating Systems running Windows 2000\r\n Server, Windows XP or Windows 2003 Server on ESXi and ESX; or \r\n Windows XP on Workstation and Fusion.\r\n\r\n The vulnerability does not allow for privilege escalation\r\n from the Guest Operating System to the host. This means \r\n that host memory can not be manipulated from the Guest \r\n Operating System.\r\n\r\n VMware would like to thank Derek Soeder of Cylance, Inc. for \r\n reporting this issue to us. \r\n\r\n The Common Vulnerabilityies and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2013-3519 to this issue.\r\n\r\n Column 4 of the following table lists the action required to\r\n remediate the vulnerability in each release, if a solution is\r\n available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch*\r\n ============= ======= ======= =================\r\n Workstation 10.x any not affected\r\n Workstation 9.x any 9.0.3 or later\r\n\r\n Player 6.x Windows not affected\r\n Player 5.x Windows 5.0.3 or later\r\n\r\n Fusion 6.x Mac OS/X not affected\r\n Fusion 5.x Mac OS/X 5.0.4 or later\r\n\r\n\r\n ESXi 5.5 ESXi not affected\r\n ESXi 5.1 ESXi ESXi510-201304102-SG\r\n ESXi 5.0 ESXi ESXi500-201303102-SG\r\n ESXi 4.1 ESXi ESXi410-201301402-SG\r\n ESXi 4.0 ESXi ESXi400-201305401-SG\r\n\r\n ESX 4.1 ESX ESX410-201301401-SG\r\n ESX 4.0 ESX ESX400-201305401-SG\r\n\r\n * Notes on updating VMware Guest Tools: \r\n\r\n After the update or patch is applied, VMware Guest Tools must\r\n be updated in any pre-existing Windows-based Guest Operating \r\n System followed by a reboot of the guest system.\r\n\r\n 4. Solution\r\n\r\n Please review the patch/release notes for your product and version \r\n and verify the checksum of your downloaded file. \r\n\r\n VMware Workstation \r\n --------------------------- \r\n https://www.vmware.com/go/downloadworkstation \r\n\r\n VMware Player \r\n --------------------------- \r\n https://www.vmware.com/go/downloadplayer \r\n \r\n VMware Fusion\r\n --------------------------- \r\n https://www.vmware.com/go/downloadfusion\r\n\r\n ESXi and ESX \r\n --------------------------- \r\n https://my.vmware.com/web/vmware/downloads \r\n\r\n ESXi 5.1 \r\n --------------------------- \r\n File: update-from-esxi5.1-5.1_update01.zip \r\n md5sum: 28b8026bcfbe3cd1817509759d4b61d6 \r\n sha1sum: 9d3124d3c5efa6d0c3b9ba06511243fc6e205542 \r\n http://kb.vmware.com/kb/2041632 \r\n update-from-esxi5.1-5.1_update01.zip contains ESXi510-201304102-SG \r\n\r\n ESXi 5.0\r\n --------------------------- \r\n File: ESXi500-201303001.zip \r\n md5sum: c62470c48e81da84891c79d5533c8e91 \r\n sha1sum: 69fe8933888d2a6c4e53cfe822441c963bdcd2c7 \r\n http://kb.vmware.com/kb/2044373\r\n ESXi500-201303001.zip contains ESXi500-201303102-SG\r\n\r\n ESXi 4.1 \r\n --------------------------- \r\n File: ESXi410-201301001.zip \r\n md5sum: 2fce8e96048b5f80354e90a1b9e7776c\r\n sha1sum: d38283afafe7e27fc64f11cf780e0f1577f98c6c \r\n http://kb.vmware.com/kb/2041332 \r\n ESXi410-201301001 contains ESXi410-201301402-SG \r\n\r\n ESXi 4.0 \r\n --------------------------- \r\n File: ESXi400-201305001.zip \r\n md5sum: 065d3fa4b0f52dd38c2bd92e5bfc5580 \r\n sha1sum: 1f3cab25a144746372d86071a47e569c439e276a\r\n http://kb.vmware.com/kb/2044241\r\n ESXi400-201305001 contains ESXi400-201305401-SG\r\n\r\n ESX 4.1 \r\n ---------------------------\r\n File: ESX410-201301001.zip \r\n md5sum: a8685fff822d6fd2d112db20f223d8fd \r\n sha1sum: 4f5e6d0d11c5666bcf7488b0a970e052c77c73f0\r\n http://kb.vmware.com/kb/2041331 \r\n ESX410-201301001 contains ESX410-201301401-SG\r\n\r\n ESX 4.0 \r\n ---------------------------\r\n File: ESX400-201305001.zip \r\n md5sum: c9ac91d3d803c7b7cb9df401c20b91c0\r\n sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411 \r\n http://kb.vmware.com/kb/2044240\r\n ESX400-201305001 contains ESX400-201305401-SG\r\n \r\n5. References\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3519\r\n\r\n\r\n- -----------------------------------------------------------------------\r\n\r\n6. Change log\r\n\r\n 2013-12-03 VMSA-2013-0014\r\n Initial security advisory in conjunction with the release of VMware \r\n Fusion 5.0.4 on 2013-12-03.\r\n\r\n- -----------------------------------------------------------------------\r\n\r\n7. Contact\r\n\r\n E-mail list for product security notifications and announcements:\r\n http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce\r\n \r\n This Security Advisory is posted to the following lists:\r\n \r\n * security-announce at lists.vmware.com\r\n * bugtraq at securityfocus.com\r\n * full-disclosure at lists.grok.org.uk\r\n \r\n E-mail: security at vmware.com\r\n PGP key at: http://kb.vmware.com/kb/1055\r\n \r\n VMware Security Advisories\r\n http://www.vmware.com/security/advisories\r\n \r\n VMware security response policy\r\n http://www.vmware.com/support/policies/security_response.html\r\n \r\n General support life cycle policy\r\n http://www.vmware.com/support/policies/eos.html\r\n \r\n VMware Infrastructure support life cycle policy\r\n http://www.vmware.com/support/policies/eos_vi.html\r\n \r\n Copyright 2013 VMware Inc. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: Encryption Desktop 10.3.0 (Build 8741)\r\nCharset: utf-8\r\n\r\nwj8DBQFSnpfaDEcm8Vbi9kMRAvhvAJ4vKNwcyVCmSwFvEUydhpXmZLL/wACeKydO\r\nUwwY8FYofaHjTAcTMeVZlhA=\r\n=pm8w\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2013-12-09T00:00:00", "published": "2013-12-09T00:00:00", "id": "SECURITYVULNS:DOC:30067", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30067", "title": "NEW VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation", "type": "securityvulns", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:53:52", "bulletinFamily": "software", "cvelist": ["CVE-2013-3519"], "description": "Privilege escalation in the guest system via LGTOSYNC.SYS.", "edition": 2, "modified": "2013-12-09T00:00:00", "published": "2013-12-09T00:00:00", "id": "SECURITYVULNS:VULN:13443", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13443", "title": "VMWare privilege escalation", "type": "securityvulns", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T13:04:51", "description": "lgtosync.sys in VMware Workstation 9.x before 9.0.3, VMware Player 5.x before 5.0.3, VMware Fusion 5.x before 5.0.4, VMware ESXi 4.0 through 5.1, and VMware ESX 4.0 and 4.1, when a 32-bit Windows guest OS is used, allows guest OS users to gain guest OS privileges via an application that performs a crafted memory allocation.", "cvss3": {}, "published": "2013-12-04T18:56:00", "type": "cve", "title": "CVE-2013-3519", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.9, "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-3519"], "modified": "2014-03-03T17:45:00", "cpe": ["cpe:/a:vmware:fusion:5.0.1", "cpe:/a:vmware:player:5.0.2", "cpe:/a:vmware:fusion:5.0.2", "cpe:/o:vmware:esx:4.1", "cpe:/a:vmware:workstation:9.0", "cpe:/o:vmware:esxi:4.1", "cpe:/o:vmware:esxi:5.1", "cpe:/o:vmware:esxi:4.0", "cpe:/o:vmware:esxi:5.0", "cpe:/a:vmware:player:5.0.1", "cpe:/a:vmware:fusion:5.0.3", "cpe:/a:vmware:fusion:5.0", "cpe:/o:vmware:esx:4.0", "cpe:/a:vmware:player:5.0", "cpe:/a:vmware:workstation:9.0.2", "cpe:/a:vmware:workstation:9.0.1"], "id": "CVE-2013-3519", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3519", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:vmware:esxi:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:9.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:9.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esx:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esx:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:5.0:*:*:*:*:*:*:*"]}], "vmware": [{"lastseen": "2022-05-26T00:56:46", "description": "a. VMware LGTOSYNC privilege escalation.\n\nVMware ESX, Workstation and Fusion contain a vulnerability in the handling of control code in lgtosync.sys. A local malicious user may exploit this vulnerability to manipulate the memory allocation. This could result in a privilege escalation on 32-bit Guest Operating Systems running Windows 2000 Server, Windows XP or Windows 2003 Server on ESXi and ESX; or Windows XP on Workstation and Fusion.The vulnerability does not allow for privilege escalation from the Guest Operating System to the host. This means that host memory can not be manipulated from the Guest Operating System.VMware would like to thank Derek Soeder of Cylance, Inc. for reporting this issue to us. The Common Vulnerabilityies and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3519 to this issue.Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.", "cvss3": {}, "published": "2013-12-03T00:00:00", "type": "vmware", "title": "VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.9, "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-3519"], "modified": "2013-12-03T00:00:00", "id": "VMSA-2013-0014", "href": "https://www.vmware.com/security/advisories/VMSA-2013-0014.html", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}]}

VMware Fusion 5.x &lt; 5.0.4 LGTOSYNC.SYS Privilege Escalation (VMSA-2013-0014)

Description

VMware Fusion 5.x < 5.0.4 LGTOSYNC.SYS Privilege Escalation (VMSA-2013-0014)