Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   VMware Vendors:   VMware
VMware Workstation/Player/Fusion VMware Tools Access Control Error Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1026922
SecurityTracker URL:
CVE Reference:   CVE-2012-1518   (Links to External Site)
Date:  Apr 13 2012
Impact:   Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation 8.0.1 and prior; Player 4.0.1 and prior; Fusion 4.1.1 and prior
Description:   A vulnerability was reported in VMware Workstation/Player/Fusion. A local user on a guest operating system can obtain elevated privileges on the target system.

On Windows-based guest operating systems, the VMware Tools folder access control list is not properly set. A local user on the guest operating system can gain elevated privileges.

Tavis Ormandy reported this vulnerability.

Impact:   A local user on a Windows guest operating system can obtain elevated privileges on the target system.
Solution:   The vendor has issued a fix (Workstation 8.0.2, Player 4.0.2, Fusion 4.1.2).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

Subject:  [Security-announce] VMSA-2012-0007 VMware hosted products and ESXi/ESX patches address privilege escalation

Hash: SHA1

                   VMware Security Advisory

Advisory ID: VMSA-2012-0007
Synopsis:    VMware hosted products and ESXi/ESX patches address
             privilege escalation
Issue date:  2012-04-12
Updated on:  2012-04-12 (initial advisory)
CVE numbers: CVE-2012-1518

1. Summary

   VMware hosted products and ESXi/ESX patches address privilege

2. Relevant releases

   Workstation 8.0.1 and earlier

   Player 4.0.1 and earlier

   Fusion 4.1.1 and earlier
   ESXi 5.0 without patch ESXi500-201203102-SG
   ESXi 4.1 without patch ESXi410-201201402-BG
   ESXi 4.0 without patch ESXi400-201203402-BG
   ESXi 3.5 without patch ESXe350-201203402-T-BG

   ESX 4.1 without patch ESX410-201201401-SG
   ESX 4.0 without patch ESX400-201203401-SG
   ESX 3.5 without patch ESX350-201203402-BG

3. Problem Description

 a. VMware Tools Incorrect Folder Permissions Privilege Escalation

    The access control list of the VMware Tools folder is incorrectly
    set. Exploitation of this issue may lead to local privilege
    escalation on Windows-based Guest Operating Systems.

    VMware would like to thank Tavis Ormandy for reporting this issue
    to us.

    The Common Vulnerabilities and Exposures project (
    has assigned the name CVE-2012-1518 to this issue.   

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch *
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    Workstation    8.x       any      8.0.2 or later

    Player         4.x       any      4.0.2 or later

    Fusion         4.x       Mac OS/X 4.1.2 or later **

    ESXi           5.0       ESXi     ESXi500-201203102-SG
    ESXi           4.1       ESXi     ESXi410-201201402-BG
    ESXi           4.0       ESXi     ESXi400-201203402-BG
    ESXi           3.5       ESXi     ESXe350-201203402-T-BG

    ESX            4.1       ESX      ESX410-201201401-SG
    ESX            4.0       ESX      ESX400-201203401-SG
    ESX            3.5       ESX      ESX350-201203402-BG
   * Notes on updating VMware Guest Tools:
     After the update or patch is applied, VMware Guest Tools must be
     updated in any pre-existing Windows-based Guest Operating

     Windows-Based Virtual Machines that have moved to Workstation 8,
     Player 4 or Fusion 4 from a lower version of Workstation, Player
     or Fusion are affected.

  ** The built-in update feature of Fusion can be used immediately to
     upgrade to 4.1.2. The Web download of Fusion 4.1.2 will be
     available on 2012-04-14.
4. Solution
   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   Workstation 8.0.2
   Release notes:
   VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
   md5sum: 912df11644fccac439b6fc5f80af5cdb
   sha1sum: 67af885d20a30f6074e2511f89ffff4fee321880

   VMware Workstation for Linux 32-bit with VMware Tools
   md5sum: 121b026836091e6d06b09588afbbb4ed
   sha1sum: 94c4d04b7b24ae03ead29f17445d576173d40bb4

   VMware Workstation for Linux 64-bit with VMware Tools
   md5sum: 0f41ba61117704201cfe99892405e179
   sha1sum: 6ad52e8f0768e279639cd41abeda4f9358b40d0f

   Player 4.0.2
   Release notes:

   VMware Player for Windows 32-bit and 64-bit
   md5sum: 8ec9f7cb9556bad9c910a8a9794b3b57
   sha1sum: d3613399fc25273ea51ead82ad8bf359f7fda6d1

   VMware Player for Linux 32-bit
   md5sum: 9fd4bb474a47d5c538e5e806f91e5a40
   sha1sum: a3973dd32a1a39644d30532dc4cb4c6216869415

   VMware Player for Linux 64-bit
   md5sum: 5ba343c2c0392970ecceefa8397ac233
   sha1sum: d417eb8538660db4ef07271fcc08152a3494bb58
   Fusion 4.1.2

   Release Notes:
   VMware Fusion (for Intel-based Macs)
   md5sum: 1a40b9792306cbf4664dd72ac79baecf
   sha1sum: e4a9c6d60887ea8ff0fc7e770c4922cc7004b3e9

   ESXi and ESX

   ESXi 5.0
   md5sum: 55c25bd990e2881462bc5b66fb5f6c39
   sha1sum: ecd871bb09b649c6c8c13de82d579d4b7dcadc88

   update-from-esxi5.0-5.0_update01 contains ESXi500-201203102-SG

   ESXi 4.1
   md5sum: bdf86f10a973346e26c9c2cd4c424e88
   sha1sum: cc0b92869a9aae4f5e0e5b81bee109bcd7da780f

   ESXi410-201201001 contains ESXi410-201201402-BG

   ESXi 4.0
   md5sum: 8054b2e7c9cd024e492ac5c1fb9c1e72
   sha1sum: 6150fee114d70603ccae399f42b905a6b1a7f3e1

   ESXi400-201203001 contains ESXi400-201203402-BG

   ESXi 3.5
   md5sum: 44124458684d6d1b957b4e39cbe97d77
   sha1sum: 2255311bc6c27e127e075040eb1f98649b5ce8be

   ESXe350-201203401-O-SG contains ESXe350-201203402-T-BG

   ESX 4.1
   md5sum: 16df9acd3e74bcabc2494bc23ad0927f
   sha1sum: 1066ae1436e1a75ba3d541ab65296cfb9ab7a5cc

   ESX410-201201001 contains ESX410-201201401-SG

   ESX 4.0
   md5sum: 02b7e883e8b438b83bf5e53a1be71ad3
   sha1sum: 34734a8edba225a332731205ee2d6575ad9e1c88

   ESX400-201203001 contains ESX400-201203401-SG

   ESX 3.5
   md5sum: d10cf5d4790a5750cdc6702da29bfdbd
   sha1sum: 10f4800205cd2ecf695ff15eb142a0c8ed98665c

5. References


6. Change log

   2012-04-12 VMSA-2012-0007
   Initial security advisory in conjunction with the release of
   Fusion 4.1.2 on 2012-04-12.


7. Contact

E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:

  * security-announce at
  * bugtraq at
  * full-disclosure at

E-mail:  security at
PGP key at:

VMware Security Advisories

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Copyright 2012 VMware Inc.  All rights reserved.

Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8


Security-announce mailing list

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC