3.9

CVE-2023-20867

Warnung

VMware Tools Authentication Bypass Vulnerability

A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMwareTools Version >= 10.3.0 < 12.2.5
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
DebianDebian Linux Version12.0
FedoraprojectFedora Version37
FedoraprojectFedora Version38
FedoraprojectFedora Version39

23.06.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

VMware Tools Authentication Bypass Vulnerability

Schwachstelle

VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. An attacker must have root access over ESXi to exploit this vulnerability.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 13.64% 0.96
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.9 0.8 2.7
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
security@vmware.com 3.9 0.8 2.7
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

http://www.openwall.com/lists/oss-security/2023/10/16/11
Patch
Mailing List
http://www.openwall.com/lists/oss-security/2023/10/16/2
Patch
Mailing List
https://lists.debian.org/debian-lts-announce/2023/08/msg00020.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVKQ6Y2JFJRWPFOZUOTFO3H27BK5GGOG/
Mailing List
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJNJMD67QIT6LXLKWSHFM47DCLRSMT6W/
Mailing List
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZJM6HDRQYS74JA7YNKQBFH2XSZ52HEWH/
Mailing List
Release Notes
https://security.netapp.com/advisory/ntap-20230725-0001/
Third Party Advisory
https://www.debian.org/security/2023/dsa-5493
Third Party Advisory
Mailing List
https://www.vmware.com/security/advisories/VMSA-2023-0013.html
Patch
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20867
US Government Resource