Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 23 Aug 2022 20:10:48 +0000
From: VMware Security Response Center <security@...are.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: [SECURITY ADVISORY] open-vm-tools: Local privilege escalation
 vulnerability (CVE-2022-31676)

Local privilege escalation vulnerability in open-vm-tools
================================

VMware security advisory, August 23 2022 - https://www.vmware.com/security/advisories/VMSA-2022-0024.html

1. Impacted Products
VMware Tools (open-vm-tools)

2. Introduction
VMware Tools was impacted by a local privilege escalation vulnerability. Updates are available to remediate this vulnerability in affected VMware products.

3. Local privilege escalation vulnerability (CVE-2022-31676)

Description:
VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range<https://www.vmware.com/support/policies/security_response.html> with a maximum CVSSv3 base score of 7.0<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>.

Known Attack Vectors:
A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.

Resolution:
To remediate CVE-2022-31676 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
None

Additional Documentation:
None

Acknowledgements:
None

Notes:
VMware Tools 10.3.25 only applies to the older Linux releases.

Response Matrix:


VMware Product

Version

Running On

CVE

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation
VMware Tools
12.x.y, 11.x.y
Linux
CVE-2022-31676
7.0<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>
Important
12.1.0<https://docs.vmware.com/en/VMware-Tools/12.1/rn/VMware-Tools-1210-Release-Notes.html>
None
None
VMware Tools
10.x.y
Linux
CVE-2022-31676
7.0<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>
Important
10.3.25<https://docs.vmware.com/en/VMware-Tools/10.3/rn/VMware-Tools-10325-Release-Notes.html>
None
None


4. References:

Fixed Version(s) and Release Notes:

VMware Tools for Linux 12.1.0

Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VMTOOLS1210&productId=1259&rPId=92824

https://docs.vmware.com/en/VMware-Tools/12.1/rn/VMware-Tools-1210-Release-Notes.html

VMware Tools for Linux 10.3.25

Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VMTOOLS10325&productId=1072&rPId=92945

https://docs.vmware.com/en/VMware-Tools/10.3/rn/VMware-Tools-10325-Release-Notes.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676

FIRST CVSSv3 Calculator:
CVE-2022-31676: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H


Upstream fix for CVE-2022-31676: https://github.com/vmware/open-vm-tools/blob/CVE-2022-31676.patch/README.md



Thanks,
Sibi Aravind E
VMware Security Response Center

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.