Search the VMware Knowledge Base (KB)
View by Article ID

Workarounds for VIX API VM Direct Access Function by vSphere users with limited privileges, CVE-2017-4919 (2151027)

  • 24 Ratings

Purpose


The VIX API VM Direct Access Function could be used by vSphere users with limited privileges to interact directly with a Guest Operating System (Guest OS). This issue is documented in VMSA-2017-0012 and tracked by CVE-2017-4919.

This KB provides details on the privileges that vSphere users with limited privileges would need to use this function. It also provides workarounds that prevent vSphere users with limited privileges from using this function.

Resolution

For details on vSphere permissions and user management,see vSphere Permissions and User Management Tasks section in the VMware vSphere Guide.

To determine that the VIX API VM Direct Access Function can be used by a limited vSphere user.

The VIX API VM Direct Access Function may be used by vSphere users with limited privileges if all of the following three privileges have been set:

  • Virtual Machine > Configuration > Advanced
    AND
  • Virtual Machine > Interaction > Guest Operating System Management by VIX API
    AND
  • Host > Configuration > Advanced Settings
For a list of vSphere privileges, see Defined Privileges section in the VMware vSphere Guide.

Note
:The latter setting is host-wide.The first two settings are specific to the vSphere user.


To remove the capability to use the VIX API VM Direct Access Function by vSphere users with limited privileges.

These three workarounds remove the capability to use the VIX API VM Direct Access Function by vSphere users with limited privileges. Each workaround is sufficient by itself.

  • vSphere user privileges workaround

    The preferred workaround is to remove the following configuration setting from the vSphere users with limited privileges:

     Virtual Machine > Interaction > Guest Operating System Management by VIX API


  • VMware Tools workaround I

    For virtual machines that run on ESXi 6.0 and above and that run VMware Tools between version 9.10.0 (inclusive) and 10.0.x: disable VIX API VM Direct Access Function by adding the following lines to the guest-specific configuration file tools.conf:

    [guestoperations]
    Authentication.InfrastructureAgents.disabled=true

    Notes: 

    • This workaround is not relevant for virtual machines that run on ESXi 5.5.

    • This workaround should not be used in case:

      • VMware Site Recovery Manager is used

      • VMware Update Manager is used to update Virtual Appliances

      • VMware Infrastructure Navigator is used.


For more information on how the tools.conf file is edited and where it is located, see  Enabling debug logging for VMware Tools within a guest operating system (1007873)

  • VMware Tools workaround II

    For virtual machines that run on ESXi 6.0 and above: Update to VMware Tools version 10.1.0 or above. The VIX API VM Direct Access function is disabled starting in VMware Tools version 10.1.0.

    Notes
    • This workaround is not relevant for virtual machines that run on ESXi 5.5.

    • Some older VMware products are incompatible with newer VMware Tools, see known issues in the VMware Tools 10.1.0 release notes.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 24 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 24 Ratings
Actions
KB: