VMware plugs murky privilege escalation hole
VMware has released updates for its ESX, Workstation, Fusion and View virtualisation software after discovering that the applications allowed a user of a Windows guest or host to manipulate memory allocation through the Virtual Machine Communication Interface (VMCI). The issue has been labelled VMSA-2013-0002 and CVE-2013-1406.
Unfortunately, VMware's advisory is rather opaque as to what the overall effect of this would be, saying only that it could result in privilege escalation. Given the references to a local user performing the manipulation, it is assumed that the vulnerability in VMCI is one that doesn't cross the host/guest boundary. The effect would then be limited to the system, host or guest, on which the VMCI manipulations took place.
Whatever the issue, it is most likely advisable to install the appropriate updates including VMware Workstation 9.0.1 and 8.0.5 for Windows, Fusion 5.0.2 and 4.1.4 for Mac OS X, View 5.1.2 and 4.6.2 for Windows, and a range of updates for ESXi 5.1, 5.0, 4.1 and 4.0, and ESX 4.1 and 4.0. Guest tools will need reinstalling after the updates have been installed. Details of the various downloads that are available are included in the advisory.