VMware has patched a vulnerability in its ESX and ESXi hypervisors that could allow unauthorized local access to files.
“This issue may allow an unprivileged vCenter Server user with the privilege ‘Add Existing Disk’ to obtain read and write access to arbitrary files on ESXi or ESX,” the company said in its advisory released on Sunday.
The vulnerability is exploitable only locally and through vCenter, which is a management platform for other VMware virtualization products. VCenter handles deployment, centralized visibility and management features as well as optimization capabilities.
VMware cautions enterprises running older ESX installations that an unprivileged local user could not only gain read/write access to files, but could modify them with malware that would execute after a host reboot.
“Unpriviledged vCenter Server users or groups that are assigned the predefined role ‘Virtual Machine Power User’ or ‘Resource Pool Administrator’ have the privilege ‘Add Existing Disk,’” VMware said.
The company recommends limiting the number of vCenter users who have the elevated privilege in question until patches can be applied, and that none of the predefined roles are assigned in a default vCenter Server installation.
ESX versions 4.0 and 4.1 are vulnerable, as are ESXi versions 4.0, 4.1, 5.0, 5.1 and 5.5.
VMware also cautions that the patches it released will not remediate the issue if the configrules file in ESX or ESXi has been modified; VMware said this is not a common user scenario. For installations where the file has been modified, a workaround is recommended.