3.9

CVE-2023-20867

Warning

EPSS 0.98%
Published 13.06.2023 17:15:14
Last modified 10.03.2025 20:43:28
Source security@vmware.com
Teams watchlist Login
Open Login

A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.

Affected products Warnungen 1 Metrics 3 CWE 1 References 12

Data is provided by the National Vulnerability Database (NVD)

VMware ≫ Tools Version >= 10.3.0 < 12.2.5

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Debian ≫ Debian Linux Version12.0

Fedoraproject ≫ Fedora Version37

Fedoraproject ≫ Fedora Version38

Fedoraproject ≫ Fedora Version39

23.06.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

VMware Tools Authentication Bypass Vulnerability

Vulnerability

VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. An attacker must have root access over ESXi to exploit this vulnerability.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.98%	0.76

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	3.9	0.8	2.7	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
security@vmware.com	3.9	0.8	2.7	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

http://www.openwall.com/lists/oss-security/2023/10/16/11

Patch

Mailing List

http://www.openwall.com/lists/oss-security/2023/10/16/2

Patch

Mailing List

https://lists.debian.org/debian-lts-announce/2023/08/msg00020.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVKQ6Y2JFJRWPFOZUOTFO3H27BK5GGOG/

Mailing List

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJNJMD67QIT6LXLKWSHFM47DCLRSMT6W/

Mailing List

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZJM6HDRQYS74JA7YNKQBFH2XSZ52HEWH/

Mailing List

Release Notes

https://security.netapp.com/advisory/ntap-20230725-0001/

Third Party Advisory

https://www.debian.org/security/2023/dsa-5493

Third Party Advisory

Mailing List

https://www.vmware.com/security/advisories/VMSA-2023-0013.html

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-20867

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-20867

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-20867

EUVD