TippingPoint Zero Day Initiative

(0Day) VMware vCenter Server Appliance Ruby vSphere Console Privilege Escalation Vulnerability

ZDI-14-159: May 30th, 2014


CVSS Score

Affected Vendors

Affected Products

    VMWare vCenter Server Appliance

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of VMware vCenter Appliance. Authentication is required to exploit this vulnerability.

The specific flaw exists within the usage of the Ruby vSphere Console (RVC) provided by the vCenter Server Appliance. Commands can be run in a privileged context allowing an attacker to break-out of a chroot jail. This allows for an attacker to elevate privilege and execute commands as root.

Vendor Response

VMWare, Inc. states:

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180-day deadline.

Vendor Contact Timeline:
11/07/2013 - Case disclosed to vendor
11/07/2013 - Vendor acknowledged
12/02/2013 - Vendor confirmed reproduction
02/26/2014 - Vendor provided ETA August or September
05/02/2014 - Vendor provided ETA of August and December
05/02/2014 - ZDI asked vendor for something sooner
05/02/2014 - Vendor confirmed dates and will let ZDI know of any changes
05/06/2014 - Original 180-deadline passed
05/30/2014 - Public release of advisory

-- Vendor Provided Mitigations:

Remove all users from the shellaccess group with the following command: usermod -R shellaccess LOGIN


Remove the line "AllowGroups shellaccess wheel" from the /etc/ssh/sshd_config Restart the sshd service with the following command: service sshd restart

This issue only affects vCenter Server Appliance 5.1 and vCenter Server Appliance 5.5. No other products are affected by this issue.

Disclosure Timeline

    2013-11-07 - Initial contact attempt with vendor
    2014-05-30 - Public release of advisory


This vulnerability was discovered by:
    Shanon Olsson