CVE-2013-5973

Name of the Vulnerable Software and Affected Versions VMware ESXi versions 4.0 through 5.5 VMware ESX version 4.0 VMware ESX version 4.1

Description The issue allows local users to read or modify arbitrary files by leveraging the Virtual Machine Power User or Resource Pool Administrator role for a vCenter Server Add Existing Disk action with a filename that includes certain options, such as -flat, -rdm, or -rdmp.

Recommendations For VMware ESXi versions 4.0 through 5.5, consider restricting the Virtual Machine Power User or Resource Pool Administrator role to minimize the risk of exploitation. For VMware ESX version 4.0, restrict access to the Add Existing Disk action in vCenter Server to prevent unauthorized file modifications. For VMware ESX version 4.1, limit the use of filenames with options -flat, -rdm, or -rdmp in the Add Existing Disk action to reduce the risk of file reading or modification.