Workarounds for VIX API VM Direct Access Function by vSphere users with limited privileges, CVE-2017-4919
search cancel

Workarounds for VIX API VM Direct Access Function by vSphere users with limited privileges, CVE-2017-4919

book

Article ID: 320040

calendar_today

Updated On:

Products

VMware

Issue/Introduction


The VIX API VM Direct Access Function could be used by vSphere users with limited privileges to interact directly with a Guest Operating System (Guest OS). This issue is documented in VMSA-2017-0012 and tracked by CVE-2017-4919.

This KB provides details on the privileges that vSphere users with limited privileges would need to use this function. It also provides workarounds that prevent vSphere users with limited privileges from using this function.


Resolution

For details on vSphere permissions and user management,see vSphere Permissions and User Management Tasks section in the VMware vSphere Guide.

To determine that the VIX API VM Direct Access Function can be used by a limited vSphere user.

The VIX API VM Direct Access Function may be used by vSphere users with limited privileges if all of the following three privileges have been set:

  • Virtual Machine > Configuration > Advanced
    AND
  • Virtual Machine > Interaction > Guest Operating System Management by VIX API
    AND
  • Host > Configuration > Advanced Settings
For a list of vSphere privileges, see Defined Privileges section in the VMware vSphere Guide.

Note:The latter setting is host-wide.The first two settings are specific to the vSphere user.


To remove the capability to use the VIX API VM Direct Access Function by vSphere users with limited privileges.

These three workarounds remove the capability to use the VIX API VM Direct Access Function by vSphere users with limited privileges. Each workaround is sufficient by itself.

  • vSphere user privileges workaround

    The preferred workaround is to remove the following configuration setting from the vSphere users with limited privileges:

    Virtual Machine > Interaction > Guest Operating System Management by VIX API


  • VMware Tools workaround I

    For virtual machines that run on ESXi 6.0 and above and that run VMware Tools between version 9.10.0 (inclusive) and 10.0.x: disable VIX API VM Direct Access Function by adding the following lines to the guest-specific configuration file tools.conf:

    [guestoperations]
    Authentication.InfrastructureAgents.disabled=true

    Notes:

    • This workaround is not relevant for virtual machines that run on ESXi 5.5.

    • This workaround should not be used in case:

      • VMware Site Recovery Manager is used

      • VMware Update Manager is used to update Virtual Appliances

      • VMware Infrastructure Navigator is used.


For more information on how the tools.conf file is edited and where it is located, see Enabling debug logging for VMware Tools within a guest operating system (1007873)

  • VMware Tools workaround II

    For virtual machines that run on ESXi 6.0 and above: Update to VMware Tools version 10.1.0 or above. The VIX API VM Direct Access function is disabled starting in VMware Tools version 10.1.0.

    Notes:
    • This workaround is not relevant for virtual machines that run on ESXi 5.5.

    • Some older VMware products are incompatible with newer VMware Tools, see known issues in the VMware Tools 10.1.0 release notes.


Additional Information

Enabling debug logging for VMware Tools within a guest operating system

Powered by Wolken Software