VMware ESX/ESXi Server Multiple Vulnerabilities

Date Disclosed:
7/31/2013

Date Patched:
Patch Not Yet Available

Vendor:
VMware
Affected Software:
VMware ESX 4.0
VMware ESXi 4.0, 5.0, 5.1
Description:
VMware ESX and ESXi contain multible vulnerabilities due to bundled versions of libxml2, GNU TLS, OpenSSL, and the Linux kernel. Successful exploitation may result in elevation of privilege, information disclosure, or denial of service.
Severity:
High
Code Execution:
Yes.
Impact:
Elevation of Privilege

Of the various vulnerabilities present in VMware ESX and ESXi, the worst of which may allow an attacker to have an opportunity to elevate their privileges. This may allow them to perform actions that would normally be restricted from them, including the ability to access sensitive data and executing arbitrary code.
Mitigation:
No mitigations are currently available.
Protection:
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

• 19926 - VMware ESX/ESXi Server Multiple Vulnerabilities (Zero-Day) - ESXi 5.1/5.0/4.0
• 19927 - VMware ESX/ESXi Server Multiple Vulnerabilities (Zero-Day) - ESX 4.0

Links:

• VMware Advisory
• Linux MSR vulnerability proof of concept

Status:
2013-07-31 - VMware security advisory released
2013-08-06 - Linux MSR proof of concept released