VMware Patches Privilege Escalation Vulnerability

VMware released patches yesterday to fix a vulnerability that could have led to a privilege escalation in older Windows systems running in virtual environments.

Virtualization software company VMware pushed out patches for some builds of its Workstation, Fusion, ESXi and ESX products this week, fixing a vulnerability that could have led to a privilege escalation in older Windows operating systems running in a virtual environment.

The main problem is the way that Workstation, ESX and Fusion handle control code in the LGTOSYNC.sys driver. If an attacker leveraged a vulnerability in that driver they could manipulate memory allocation and put users running the software on 32-bit systems running Windows 2000 Server, Windows XP or Windows 2003 at risk. ESXi is tangentially vulnerable if deployed on Windows 2000 Server, Windows XP or Windows 2003 Server.

“The vulnerability does not allow for privilege escalation from the Guest Operating System to the host,” VMware specified in an advisory yesterday, “This means that host memory can not be manipulated from the Guest Operating System.”

The security advisory adds that versions of Workstation from 9.x prior to 9.0.3, Player from 5.x prior to 5.0.3, Fusion from 5.x to 5.0.4, ESXi 4.0, 4.1, 5.0, 5.1 and ESX 4.0 and 4.1 are all affected.

All of the vulnerable products are more or less part of the company’s VMware infrastructure suite. VMware Fusion is technically referred to as a software hypervisor, allowing Intel-based Macs to run Windows, Linux and other operating systems alongside OS X while Workstation has the same functionality as Fusion, it’s just specialized for x64 computers running Windows, Linux or BSD.

It’s the second privilege escalation vulnerability patched by VMware in the past three weeks. The company also fixed a similar issue in Workstation, in particular the version that runs Linux, back in November.

VMware posted patches for all of the products implicated yesterday on the support section of its site and per usual, sent security notifications via email and in a post on Full Disclosure‘s lists.

Suggested articles