VMSA-2013-0016 VMware ESXi and ESX unauthorized file access through vCenter Server and ESX (remote check)

VMware ESXi and ESX unauthorized file access through vCenter Server and ESX (remote check). Check the build number, apply the missing patch(es), and restrict the number of vCenter Server users with the privilege "Add Existing Disk

Reporter	Title	Published	Views	Family All 19
CVE	CVE-2013-5973	23 Dec 201315:00	–	cve
Cvelist	CVE-2013-5973	23 Dec 201315:00	–	cvelist
EUVD	EUVD-2013-5803	7 Oct 202500:30	–	euvd
Japan Vulnerability Notes	JVN#13154935: VMware ESX and ESXi may allow access to arbitrary files	24 Dec 201300:00	–	jvn
Japan Vulnerability Notes	VMware ESX and ESXi may allow access to arbitrary files	24 Dec 201306:02	–	jvn
NVD	CVE-2013-5973	23 Dec 201315:42	–	nvd
OpenVAS	VMSA-2013-0016 VMware ESXi and ESX unauthorized file access through vCenter Server and ESX	27 Dec 201300:00	–	openvas
OpenVAS	VMware ESXi/ESX unauthorized file access through vCenter Server and ESX (VMSA-2013-0016) - Local Version Check	27 Dec 201300:00	–	openvas
OpenVAS	VMware ESXi/ESX unauthorized file access through vCenter Server and ESX (VMSA-2013-0016) - Remote Version Check	27 Dec 201300:00	–	openvas
Prion	Design/Logic Flaw	23 Dec 201315:42	–	prion

Source	Link
vmware	www.vmware.com/security/advisories/VMSA-2013-0016.html

###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_VMSA-2013-0016_remote.nasl 6074 2017-05-05 09:03:14Z teissa $
#
# VMSA-2013-0016 VMware ESXi and ESX unauthorized file access through vCenter Server and ESX (remote check)
#
# Authors:
# Michael Meyer <[email protected]>
#
# Copyright:
# Copyright (c) 2013 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_vuldetect = "Check the build number.";
tag_summary = "VMware ESXi and ESX unauthorized file access through vCenter Server and ESX";
tag_solution = "Apply the missing patch(es).";

tag_affected = "VMware ESXi 5.5 Build < 1474526
VMware ESXi 5.1 Build < 1312874 
VMware ESXi 5.0 Build < 1311177";

tag_insight = 'a. VMware ESXi and ESX unauthorized file access through vCenter Server and ESX

VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual
Machine file descriptors. This issue may allow an unprivileged vCenter Server
user with the privilege "Add Existing Disk" to obtain read and write access to
arbitrary files on ESXi or ESX. On ESX, an unprivileged local user may obtain
read and write access to arbitrary files. Modifying certain files may allow
for code execution after a host reboot.

Unpriviledged vCenter Server users or groups that are assigned the predefined
role "Virtual Machine Power User" or "Resource Pool Administrator" have the
privilege "Add Existing Disk".

The issue cannot be exploited through VMware vCloud Director.

Workaround

A workaround is provided in VMware Knowledge Base article 2066856. 

Mitigation

In a default vCenter Server installation no unprivileged users or groups
are assigned the predefined role "Virtual Machine Power User" or "Resource
Pool Administrator".  Restrict the number of vCenter Server users that have
the privilege "Add Existing Disk".';

if (description)
{
 script_id(103864);
 script_cve_id("CVE-2013-5973");
 script_tag(name:"cvss_base", value:"4.4");
 script_tag(name:"cvss_base_vector", value:"AV:L/AC:M/Au:N/C:P/I:P/A:P");
 script_version ("$Revision: 6074 $");
 script_name("VMSA-2013-0016 VMware ESXi and ESX unauthorized file access through vCenter Server and ESX (remote check)");


 script_xref(name:"URL", value:"http://www.vmware.com/security/advisories/VMSA-2013-0016.html");

 script_tag(name:"last_modification", value:"$Date: 2017-05-05 11:03:14 +0200 (Fri, 05 May 2017) $");
 script_tag(name:"creation_date", value:"2013-12-27 12:04:01 +0100 (Fri, 27 Dec 2013)");
 script_category(ACT_GATHER_INFO);
 script_family("General");
 script_copyright("This script is Copyright (C) 2013 Greenbone Networks GmbH");
 script_dependencies("gb_vmware_esx_web_detect.nasl");
 script_mandatory_keys("VMware/ESX/build","VMware/ESX/version");

 script_tag(name : "vuldetect" , value : tag_vuldetect);
 script_tag(name : "insight" , value : tag_insight);
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "summary" , value : tag_summary);
 script_tag(name : "affected" , value : tag_affected);
 script_tag(name:"qod_type", value:"package");
 script_tag(name:"solution_type", value:"VendorFix");

 exit(0);

}

include("vmware_esx.inc");

if(!esxVersion = get_kb_item("VMware/ESX/version"))exit(0);
if(!esxBuild = get_kb_item("VMware/ESX/build"))exit(0);

fixed_builds = make_array("5.0.0","1311177",
                          "5.1.0","1312874",
                          "5.5.0","1474526");

if(!fixed_builds[esxVersion])exit(0);

if(int(esxBuild) < int(fixed_builds[esxVersion])) {
  security_message(port:0, data: esxi_remote_report(ver:esxVersion, build: esxBuild, fixed_build: fixed_builds[esxVersion]));
  exit(0);
}  

exit(99);

05 May 2017 00:00Current

0.7Low risk

Vulners AI Score0.7

EPSS0.00033