=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN446

_____________________________________________________________________

DATE                : 30/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Tools versions prior to
                                     12.1.1, 12.3.5.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2023-0024.html
_____________________________________________________________________

Important

Advisory ID:      VMSA-2023-0024
CVSSv3 Range:     7.5 - 7.8
Issue Date:       2023-10-26
Updated On:       2023-10-26 (Initial Advisory)
CVE(s):           CVE-2023-34057, CVE-2023-34058

Synopsis:
VMware Tools updates address Local Privilege Escalation and SAML Token
Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)


1. Impacted Products

     VMware Tools

2. Introduction

Multiple vulnerabilities in VMware Tools were responsibly reported to
VMware. Updates are available to remediate these vulnerabilities in
affected VMware products.


3a. Local privilege escalation vulnerability in VMware Tools (macOS)
(CVE-2023-34057)

Description

VMware Tools contains a local privilege escalation vulnerability.
VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors

A malicious actor with local user access to a guest virtual machine
may elevate privileges within the virtual machine.

Resolution

To remediate CVE-2023-34057 apply the patches listed in the
'Fixed Version' column of the 'Response Matrix' found below.

Workarounds
None.

Additional Documentation
None.

Notes
None.

Acknowledgements

VMware would like to thank Dan Revah of Google for reporting
this issue to us.

3b. SAML Token Signature Bypass vulnerability in VMware Tools
(CVE-2023-34058)

Description

VMware Tools contains a SAML token signature bypass
vulnerability. VMware has evaluated the severity of this
issue to be in the Important severity range with a maximum
CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor that has been granted Guest Operation Privileges
in a target virtual machine may be able to elevate their
privileges if that target virtual machine has been assigned a
more privileged Guest Alias.

Resolution

To remediate CVE-2023-34058 apply the patches listed in the
'Fixed Version' column of the 'Response Matrix' found below.

Workarounds
None.

Additional Documentation
None.

Notes

     While the description and known attack vectors are very
similar to CVE-2023-20900, CVE-2023-34058 has a different
root cause that has now been addressed.
     CVE-2023-34058 also impacts open-vm-tools. Fixes have
been provided to the Linux community for distribution.

Response Matrix

Product    Version   Running On   CVE Identifier   CVSSv3 Severity 
Fixed Version   Workarounds Additional Documentation

VMware Tools   12.x.x, 11.x.x, 10.3.x   macOS   CVE-2023-34057
7.8   important   12.1.1   None   None

VMware Tools   12.x.x, 11.x.x, 10.3.x    Windows
CVE-2023-34057   N/A   N/A   Unaffected   N/A   N/A

VMware Tools   12.x.x, 11.x.x, 10.3.x   macOS   CVE-2023-34058
N/A   N/A   Unaffected    N/A   N/A

VMware Tools  12.x.x, 11.x.x, 10.3.x   Windows  CVE-2023-34058
7.5    important    12.3.5    None    None


4. References

Fixed Version(s) and Release Notes:

VMware Tools 12.3.5 (Windows)
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VMTOOLS1235&productId=1259&rPId=112353
https://docs.vmware.com/en/VMware-Tools/12.3/rn/vmware-tools-1235-release-notes/index.html

VMware Tools 12.1.1 (macOS)
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VMTOOLS1235&productId=1259&rPId=112353
https://docs.vmware.com/en/VMware-Tools/12.3/rn/vmware-tools-1235-release-notes/index.html

Mitre CVE Dictionary Links
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34057
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34058


FIRST CVSSv3 Calculator
CVE-2023-34057: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-34058: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
*
5. Change Log

2023-10-26 VMSA-2023-0024
Initial security advisory.


6. Contact

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog  https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC

Copyright 2023 VMware Inc. All rights reserved.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================