VMSA-2023-0024:VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities

VMware Tanzu Application Service

0 more products

23678

24 October 2023

24 October 2023

CLOSED

HIGH

7.1 - 7.8

CVE-2023-34057,CVE-2023-34058

VMSA-2023-0024
7.1 - 7.8
2023-10-26
2023-10-26 (Initial Advisory)
CVE-2023-34057, CVE-2023-34058
VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)
1. Impacted Products
  • VMware Tools
2. Introduction

Multiple vulnerabilities in VMware Tools were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

3a. Local privilege escalation vulnerability in VMware Tools (macOS) (CVE-2023-34057)

Description

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors

A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine.

Resolution

To remediate CVE-2023-34057 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Dan Revah of Google for reporting this issue to us.

3b. SAML Token Signature Bypass vulnerability in VMware Tools (CVE-2023-34058)

Description

VMware Tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

Resolution

To remediate CVE-2023-34058 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

  • While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that has now been addressed.
  • CVE-2023-34058 also impacts open-vm-tools. Fixes have been provided to the Linux community for distribution.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Tools
12.x.x, 11.x.x, 10.3.x
macOS
CVE-2023-34057
important
None
None
VMware Tools
12.x.x, 11.x.x, 10.3.x
Windows
CVE-2023-34057
N/A
N/A
Unaffected
N/A
N/A
VMware Tools
12.x.x, 11.x.x, 10.3.x
macOS
CVE-2023-34058
N/A
N/A
Unaffected
N/A
N/A
VMware Tools
12.x.x, 11.x.x, 10.3.x
Windows
CVE-2023-34058
important
None
None
4. References
5. Change Log

2023-10-26 VMSA-2023-0024
Initial security advisory.

6. Contact

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055 

VMware Security Advisories
https://www.vmware.com/security/advisories 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  
https://blogs.vmware.com/security 

Twitter
https://twitter.com/VMwareSRC

Copyright 2023 VMware Inc. All rights reserved.