CVE-2023-34058

27.10.2023, 05:15

VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	ADJACENT_NETWORK	HIGH	LOW	CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Affected Products (NVD)

Vendor	Product	Version
vmware	open_vm_tools	11.0.0 ≤ 𝑥 ≤ 12.3.0
debian	debian_linux	10.0
debian	debian_linux	11.0
debian	debian_linux	12.0
vmware	tools	10.3.0 ≤ 𝑥 < 12.3.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

open-vm-tools

bookworm	2:12.2.0-1+deb12u2 fixed
bookworm (security)	2:12.2.0-1+deb12u2 fixed
bullseye	2:11.2.5-2+deb11u3 fixed
bullseye (security)	2:11.2.5-2+deb11u3 fixed
sid	2:12.4.5-1 fixed
trixie	2:12.4.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

open-vm-tools

bionic	Fixed 2:11.0.5-4ubuntu0.18.04.3+esm3 released
focal	Fixed 2:11.3.0-2ubuntu0~ubuntu20.04.7 released
jammy	Fixed 2:12.1.5-3~ubuntu0.22.04.4 released
lunar	Fixed 2:12.1.5-3ubuntu0.23.04.3 released
mantic	Fixed 2:12.3.0-1ubuntu0.1 released
noble	not-affected
oracular	not-affected
trusty	ignored
xenial	Fixed 2:10.2.0-3~ubuntu0.16.04.1+esm4 released

openSUSE / SLES Releases

openSUSE Product

Release

libvmtools-devel

suse enterprise desktop 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise desktop 15 SP7	12.5.0-150600.3.9.1 fixed
suse enterprise sap 15 SP1	11.3.5-150100.4.37.21.1 fixed
suse enterprise sap 15 SP2	11.3.5-150200.5.16.19.1 fixed
suse enterprise sap 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise sap 15 SP7	12.5.0-150600.3.9.1 fixed
suse enterprise server 15 SP1	11.3.5-150100.4.37.21.1 fixed
suse enterprise server 15 SP2	11.3.5-150200.5.16.19.1 fixed
suse enterprise server 15 SP3	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise server 15 SP7	12.5.0-150600.3.9.1 fixed

libvmtools0

suse enterprise desktop 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise desktop 15 SP7	12.5.0-150600.3.9.1 fixed
suse enterprise sap 12 SP5	12.3.0-4.62.1 fixed
suse enterprise sap 15 SP1	11.3.5-150100.4.37.21.1 fixed
suse enterprise sap 15 SP2	11.3.5-150200.5.16.19.1 fixed
suse enterprise sap 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise sap 15 SP7	12.5.0-150600.3.9.1 fixed
suse enterprise server 12 SP3	10.3.10-3.41.1 fixed
suse enterprise server 12 SP5	12.3.0-4.62.1 fixed
suse enterprise server 15 SP1	11.3.5-150100.4.37.21.1 fixed
suse enterprise server 15 SP2	11.3.5-150200.5.16.19.1 fixed
suse enterprise server 15 SP3	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise server 15 SP7	12.5.0-150600.3.9.1 fixed

open-vm-tools

suse enterprise desktop 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise desktop 15 SP7	12.5.0-150600.3.9.1 fixed
suse enterprise sap 12 SP5	12.3.0-4.62.1 fixed
suse enterprise sap 15 SP1	11.3.5-150100.4.37.21.1 fixed
suse enterprise sap 15 SP2	11.3.5-150200.5.16.19.1 fixed
suse enterprise sap 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise sap 15 SP7	12.5.0-150600.3.9.1 fixed
suse enterprise server 12 SP3	10.3.10-3.41.1 fixed
suse enterprise server 12 SP5	12.3.0-4.62.1 fixed
suse enterprise server 15 SP1	11.3.5-150100.4.37.21.1 fixed
suse enterprise server 15 SP2	11.3.5-150200.5.16.19.1 fixed
suse enterprise server 15 SP3	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise server 15 SP7	12.5.0-150600.3.9.1 fixed

open-vm-tools-containerinfo

suse enterprise desktop 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP3	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP5	12.3.0-150300.43.1 fixed

open-vm-tools-desktop

suse enterprise sap 12 SP5	12.3.0-4.62.1 fixed
suse enterprise sap 15 SP1	11.3.5-150100.4.37.21.1 fixed
suse enterprise sap 15 SP2	11.3.5-150200.5.16.19.1 fixed
suse enterprise server 12 SP3	10.3.10-3.41.1 fixed
suse enterprise server 12 SP5	12.3.0-4.62.1 fixed
suse enterprise server 15 SP1	11.3.5-150100.4.37.21.1 fixed
suse enterprise server 15 SP2	11.3.5-150200.5.16.19.1 fixed
suse enterprise server 15 SP3	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP4	12.3.0-150300.43.1 fixed

open-vm-tools-salt-minion

suse enterprise desktop 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise desktop 15 SP7	12.5.0-150600.3.9.1 fixed
suse enterprise sap 12 SP5	12.3.0-4.62.1 fixed
suse enterprise sap 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise sap 15 SP7	12.5.0-150600.3.9.1 fixed
suse enterprise server 12 SP5	12.3.0-4.62.1 fixed
suse enterprise server 15 SP3	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise server 15 SP7	12.5.0-150600.3.9.1 fixed

open-vm-tools-sdmp

suse enterprise desktop 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise desktop 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise desktop 15 SP7	12.5.0-150600.3.9.1 fixed
suse enterprise sap 12 SP5	12.3.0-4.62.1 fixed
suse enterprise sap 15 SP1	11.3.5-150100.4.37.21.1 fixed
suse enterprise sap 15 SP2	11.3.5-150200.5.16.19.1 fixed
suse enterprise sap 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise sap 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise sap 15 SP7	12.5.0-150600.3.9.1 fixed
suse enterprise server 12 SP5	12.3.0-4.62.1 fixed
suse enterprise server 15 SP1	11.3.5-150100.4.37.21.1 fixed
suse enterprise server 15 SP2	11.3.5-150200.5.16.19.1 fixed
suse enterprise server 15 SP3	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP4	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP5	12.3.0-150300.43.1 fixed
suse enterprise server 15 SP6	12.4.0-150600.1.3 fixed
suse enterprise server 15 SP7	12.5.0-150600.3.9.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

open-vm-tools

RHEL 7	0:11.0.5-3.el7_9.9 fixed
RHEL 8	0:12.2.5-3.el8_9.1 fixed
RHEL 8.1 E4S	0:10.3.10-3.el8_1.5 fixed
RHEL 8.2 AUS	0:11.0.0-4.el8_2.4 fixed
RHEL 8.2 E4S	0:11.0.0-4.el8_2.4 fixed
RHEL 8.2 TUS	0:11.0.0-4.el8_2.4 fixed
RHEL 8.4 AUS	0:11.2.0-2.el8_4.4 fixed
RHEL 8.4 E4S	0:11.2.0-2.el8_4.4 fixed
RHEL 8.4 TUS	0:11.2.0-2.el8_4.4 fixed
RHEL 8.6 AUS	0:11.3.5-1.el8_6.5 fixed
RHEL 8.6 E4S	0:11.3.5-1.el8_6.5 fixed
RHEL 8.6 EUS	0:11.3.5-1.el8_6.5 fixed
RHEL 8.6 TUS	0:11.3.5-1.el8_6.5 fixed
RHEL 8.8 AUS	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 E4S	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 EUS	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 TUS	0:12.1.5-2.el8_8.4 fixed
RHEL 9	0:12.2.5-3.el9_3.2 fixed

open-vm-tools-desktop

RHEL 7	0:11.0.5-3.el7_9.9 fixed
RHEL 8	0:12.2.5-3.el8_9.1 fixed
RHEL 8.1 E4S	0:10.3.10-3.el8_1.5 fixed
RHEL 8.2 AUS	0:11.0.0-4.el8_2.4 fixed
RHEL 8.2 E4S	0:11.0.0-4.el8_2.4 fixed
RHEL 8.2 TUS	0:11.0.0-4.el8_2.4 fixed
RHEL 8.4 AUS	0:11.2.0-2.el8_4.4 fixed
RHEL 8.4 E4S	0:11.2.0-2.el8_4.4 fixed
RHEL 8.4 TUS	0:11.2.0-2.el8_4.4 fixed
RHEL 8.6 AUS	0:11.3.5-1.el8_6.5 fixed
RHEL 8.6 E4S	0:11.3.5-1.el8_6.5 fixed
RHEL 8.6 EUS	0:11.3.5-1.el8_6.5 fixed
RHEL 8.6 TUS	0:11.3.5-1.el8_6.5 fixed
RHEL 8.8 AUS	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 E4S	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 EUS	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 TUS	0:12.1.5-2.el8_8.4 fixed
RHEL 9	0:12.2.5-3.el9_3.2 fixed

open-vm-tools-devel

RHEL 7

0:11.0.5-3.el7_9.9

fixed

open-vm-tools-salt-minion

RHEL 8	0:12.2.5-3.el8_9.1 fixed
RHEL 8.8 AUS	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 E4S	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 EUS	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 TUS	0:12.1.5-2.el8_8.4 fixed
RHEL 9	0:12.2.5-3.el9_3.2 fixed

open-vm-tools-sdmp

RHEL 8	0:12.2.5-3.el8_9.1 fixed
RHEL 8.4 AUS	0:11.2.0-2.el8_4.4 fixed
RHEL 8.4 E4S	0:11.2.0-2.el8_4.4 fixed
RHEL 8.4 TUS	0:11.2.0-2.el8_4.4 fixed
RHEL 8.6 AUS	0:11.3.5-1.el8_6.5 fixed
RHEL 8.6 E4S	0:11.3.5-1.el8_6.5 fixed
RHEL 8.6 EUS	0:11.3.5-1.el8_6.5 fixed
RHEL 8.6 TUS	0:11.3.5-1.el8_6.5 fixed
RHEL 8.8 AUS	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 E4S	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 EUS	0:12.1.5-2.el8_8.4 fixed
RHEL 8.8 TUS	0:12.1.5-2.el8_8.4 fixed
RHEL 9	0:12.2.5-3.el9_3.2 fixed

open-vm-tools-test

RHEL 7	0:11.0.5-3.el7_9.9 fixed
RHEL 9	0:12.2.5-3.el9_3.2 fixed

Common Weakness Enumeration

CWE-347 - Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.

References

http://www.openwall.com/lists/oss-security/2023/10/27/1

https://lists.debian.org/debian-lts-announce/2023/11/msg00002.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7G77Z76CQPGUF7VHRA6O3UFCMPPR4O2/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQUOFQL2SNNNMKROQ3TZQY4HEYMNOIBW/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLTKVTRKQW2GD2274H3UOW6XU4E62GSK/

https://www.debian.org/security/2023/dsa-5543

https://www.vmware.com/security/advisories/VMSA-2023-0024.html

http://www.openwall.com/lists/oss-security/2023/10/27/1

https://lists.debian.org/debian-lts-announce/2023/11/msg00002.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7G77Z76CQPGUF7VHRA6O3UFCMPPR4O2/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQUOFQL2SNNNMKROQ3TZQY4HEYMNOIBW/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLTKVTRKQW2GD2274H3UOW6XU4E62GSK/

https://www.debian.org/security/2023/dsa-5543

https://www.vmware.com/security/advisories/VMSA-2023-0024.html