3.9

CVE-2023-20867

Warnung

EPSS 0.98%
Veröffentlicht 13.06.2023 17:15:14
Zuletzt bearbeitet 10.03.2025 20:43:28
Quelle security@vmware.com
Teams Watchlist Login
Unerledigt Login

A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

VMware ≫ Tools Version >= 10.3.0 < 12.2.5

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Debian ≫ Debian Linux Version12.0

Fedoraproject ≫ Fedora Version37

Fedoraproject ≫ Fedora Version38

Fedoraproject ≫ Fedora Version39

23.06.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

VMware Tools Authentication Bypass Vulnerability

Schwachstelle

VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. An attacker must have root access over ESXi to exploit this vulnerability.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.98%	0.76

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.9	0.8	2.7	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
security@vmware.com	3.9	0.8	2.7	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

http://www.openwall.com/lists/oss-security/2023/10/16/11

Patch

Mailing List

http://www.openwall.com/lists/oss-security/2023/10/16/2

Patch

Mailing List

https://lists.debian.org/debian-lts-announce/2023/08/msg00020.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVKQ6Y2JFJRWPFOZUOTFO3H27BK5GGOG/

Mailing List

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJNJMD67QIT6LXLKWSHFM47DCLRSMT6W/

Mailing List

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZJM6HDRQYS74JA7YNKQBFH2XSZ52HEWH/

Mailing List

Release Notes

https://security.netapp.com/advisory/ntap-20230725-0001/

Third Party Advisory

https://www.debian.org/security/2023/dsa-5493

Third Party Advisory

Mailing List

https://www.vmware.com/security/advisories/VMSA-2023-0013.html

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-20867

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-20867

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-20867

EUVD