Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 16 Oct 2023 10:03:13 -0400
From: Demi Marie Obenour <demi@...isiblethingslab.com>
To: oss-security@...ts.openwall.com
Cc: VMware Security Response Center <security@...are.com>
Subject: Re: CVE-2023-20867: open-vm-tools: Authentication
 Bypass vulnerability in the vgauth module

On Mon, Oct 16, 2023 at 03:48:14AM +0200, Solar Designer wrote:
> Hi,
> 
> This was brought to linux-distros on June 6 with "scheduled public
> disclosure on June 13th, 2023."  There's a VMware security advisory that
> says it was published on that date:
> 
> https://www.vmware.com/security/advisories/VMSA-2023-0013.html
> 
> and patches are available at:
> 
> https://github.com/vmware/open-vm-tools/tree/CVE-2023-20867.patch
> 
> but the issue was wrongly never brought to oss-security (or at least I
> couldn't find it) - so I am correcting this now.
> 
> Quoting from the linux-distros message:
> 
> > Description
> > ==============================================================
> > CVE-2023-20867: VMware Tools contains an Authentication Bypass
> > vulnerability in the vgauth module. VMware has evaluated the severity
> > of this issue to be in the Low severity range with a maximum CVSSv3.1
> > base score of 3.9 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N.
> > 
> > Known Attack Vectors
> > ==============================================================
> > A fully compromised ESXi host can force VMware Tools to fail to
> > authenticate host-to-guest operations, impacting the confidentiality
> > and integrity of the virtual machine.
> 
> Quoting from the GitHub URL above:
> 
> > The issue has been fixed in the open-vm-tools version 12.2.5 released on
> > June 13, 2023.
> > 
> > The following patch provided to the open-vm-tools community can be used
> > to apply the security fix to previous open-vm-tools releases.
> > 
> > For releases 12.2.0, 12.1.5, 12.1.0, 12.0.5, 12.0.0, 11.3.5, 11.3.0
> > 
> >     2023-20867-Remove-some-dead-code.patch
> > 
> > For releases 11.1.0, 11.1.5, 11.2.0, 11.2.5
> > 
> >     2023-20867-Remove-some-dead-code-1110-1125.patch
> > 
> > For releases 11.0.0, 11.0.5
> > 
> >     2023-20867-Remove-some-dead-code-1100-1105.patch
> > 
> > For releases 10.3.0, 10.3.5, 10.3.10
> > 
> >     2023-20867-Remove-some-dead-code-1030-10310.patch
> > 
> > The patches have been tested against the above open-vm-tools releases.
> > Each applies cleanly with:
> > 
> > git am        for a git repository.
> > patch -p2     in the top directory of an open-vm-tools source tree.
> 
> Alexander

How is this a vulnerability at all?  A compromised ESXi host can
compromise the guest already, unless confidential computing technologies
are in use.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.