Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 27 Nov 2023 10:01:16 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2023-34059 - File Descriptor Hijack
 vulnerability in open-vm-tools

Hi,

On Sun, Nov 26, 2023 at 11:38:50AM -0800, John Helmert III wrote:
> On Fri, Oct 27, 2023 at 11:57:46AM +0200, Matthias Gerstner wrote:
> > Hello list,
> > 
> > I want to share my full report for this finding, please find it below.
> > 
> > Introduction
> > ============
> > 
> > During a routine review of the setuid-root binary
> > "vmware-user-suid-wrapper" from the open-vm-tools [1] repository I
> > discovered the vulnerability described in this report. The version under
> > review was open-vm-tools version 12.2.0. The setuid-root binary's source
> > code in the open-vm-tools repository did not change since version 10.3.0
> > (released in 2018), however, so likely most current installations of
> > open-vm-tools are affected by this finding.
> 
> Hm, it looks like there *was* a commit to vmware-user-suid-wrapper
> that looks very similar to the patch that was linked in the original
> advisory mail:
> 
> https://github.com/vmware/open-vm-tools/commit/63f7c79c4aecb14d37cc4ce9da509419e31d394f
> 
> Was that fix insufficient, or maybe wasn't there when your mail was sent?

There seems to be a misunderstanding here. It seems I phrased that not
properly. I did not mean to say that the issue is unfixed. As the
initial email from VMware states there is a patch and bugfix release
available.

What I wanted to express is that all versions of open-vm-tools ranging
from 10.3.0 up until before the bugfix release are likely affected by
the issue.

Cheers

Matthias

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.