Bug 2213087 (CVE-2023-20867)

Summary: CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andavis, anisinha, bdas, cavery, daniel_faustino_fidelis, ddepaula, jen, jferlan, jsavanyo, jwaterwo, kyoshida, ldu, leiwang, mrezanin, subhro, tsorense, virt-maint, vsroka, yacao, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: open-vm-tools 12.2.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the open-vm-tools package. An attacker with root access privileges over ESXi may be able to cause an authentication bypass in the vgauth module. This may lead to compromised confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-17 05:47:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2215553, 2215562, 2215563, 2215564, 2215565, 2215566, 2217081, 2217082, 2217083, 2217085, 2217086, 2217087    
Bug Blocks: 2213089    

Description Marian Rehak 2023-06-07 06:34:12 UTC 
Embargo Info
==============================================================
The information contained in this email is under embargo until the scheduled public disclosure on June 13th, 2023. The disclosure will be published at https://www.vmware.com/security/advisories/VMSA-2023-0013 at this time.

Description
==============================================================
CVE-2023-20867: VMware Tools contains an Authentication Bypass vulnerability in the vgauth module. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3.1 base score of 3.9 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N.

Known Attack Vectors
==============================================================
A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the virtual machine.

Remediation
==============================================================
CVE-2023-20867.zip PASSWORD: 6ljsyoo7l8qenbn4a03q

The following patches are provided for released versions of open-vm-tools:

For releases 12.2.0, 12.1.5, 12.1.0, 12.0.5, 12.0.0, 11.3.5, 11.3.0

2023-20867-Remove-some-dead-code.patch

For releases 11.1.0, 11.1.5, 11.2.0, 11.2.5

2023-20867-Remove-some-dead-code-1110-1125.patch

For releases 11.0.0, 11.0.5

2023-20867-Remove-some-dead-code-1100-1105.patch

For releases 10.3.0, 10.3.5, 10.3.10

2023-20867-Remove-some-dead-code-1030-10310.patch

The patches have been tested against the above open-vm-tools releases.  Each applies cleanly with: 

    git am          for a git repository.
    patch -p2     in the top directory of an open-vm-tools source tree.
==============================================================
Comment 1 subhro 2023-06-15 14:44:19 UTC 
*** Bug 2215140 has been marked as a duplicate of this bug. ***
Comment 2 Marian Rehak 2023-06-16 13:48:43 UTC 
Created open-vm-tools tracking bugs for this issue:

Affects: fedora-all [bug 2215553]
Comment 6 Marco Benatto 2023-06-23 18:27:21 UTC 
Possible upstream commit for this issue:
https://github.com/vmware/open-vm-tools/commit/c66f38194f91f8b733caa0beb6310871ac629690
Comment 12 errata-xmlrpc 2023-06-29 15:02:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:3947 https://access.redhat.com/errata/RHSA-2023:3947
Comment 13 errata-xmlrpc 2023-06-29 15:02:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:3945 https://access.redhat.com/errata/RHSA-2023:3945
Comment 14 errata-xmlrpc 2023-06-29 15:03:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:3946 https://access.redhat.com/errata/RHSA-2023:3946
Comment 15 errata-xmlrpc 2023-06-29 15:08:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3948 https://access.redhat.com/errata/RHSA-2023:3948
Comment 16 errata-xmlrpc 2023-06-29 15:09:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:3944 https://access.redhat.com/errata/RHSA-2023:3944
Comment 17 errata-xmlrpc 2023-06-29 15:14:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3949 https://access.redhat.com/errata/RHSA-2023:3949
Comment 18 errata-xmlrpc 2023-06-29 15:17:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3950 https://access.redhat.com/errata/RHSA-2023:3950