Bug#1050970: open-vm-tools: CVE-2023-20900

[Salvatore Bonaccorso]

Source: open-vm-tools
Version: 2:12.2.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>

Hi,

The following vulnerability was published for open-vm-tools.

CVE-2023-20900[0]:
| VMware Tools contains a SAML token signature bypass vulnerability. A
| malicious actor with man-in-the-middle (MITM) network positioning
| between vCenter server and the virtual machine may be able to bypass
| SAML token signature verification, to perform VMware Tools Guest
| Operations.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-20900
https://www.cve.org/CVERecord?id=CVE-2023-20900
[1] https://www.openwall.com/lists/oss-security/2023/08/31/1
[2] https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.4.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

[Christian Ehrhardt]

Hi,

FYI I'm currently preparing 12.3.0 (see bug 1050972) which will close this bug for trixie.

--

Christian Ehrhardt
Director of Engineering, Ubuntu Server
Canonical Ltd

[Bernd Zeimetz]

Hi security team,

I'm preparing security uploads for bookworm-security and buster-security
for

> CVE-2023-20900[0]:
> | VMware Tools contains a SAML token signature bypass vulnerability. A
> | malicious actor with man-in-the-middle (MITM) network positioning
> | between vCenter server and the virtual machine may be able to bypass
> | SAML token signature verification, to perform VMware Tools Guest
> | Operations.
>

any objections against fixing CVE-2023-20867 at the same time?
Its a minor issue so we did not fix it, but I think it doesn't hurt
to include it in stable/oldstable uploads while we are at it.

Current (untested) diff would be:

https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/commit/3812674370c07c708744c0d1d497583dffa3d665


Thanks,

Bernd

--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F

[Bernd Zeimetz]

On 2023-09-06 20:11, Bernd Zeimetz wrote:
> Hi security team,
>
> I'm preparing security uploads for bookworm-security and
> buster-security

(bullseye-security of course... - we clearly have too many relases with
bu....)

[Moritz Muehlenhoff]

On Wed, Sep 06, 2023 at 08:11:17PM +0200, Bernd Zeimetz wrote:
> Hi security team,
>
> I'm preparing security uploads for bookworm-security and buster-security
> for
>
> > CVE-2023-20900[0]:
> > | VMware Tools contains a SAML token signature bypass vulnerability. A
> > | malicious actor with man-in-the-middle (MITM) network positioning
> > | between vCenter server and the virtual machine may be able to bypass
> > | SAML token signature verification, to perform VMware Tools Guest
> > | Operations.
> >
>
> any objections against fixing CVE-2023-20867 at the same time?
> Its a minor issue so we did not fix it, but I think it doesn't hurt
> to include it in stable/oldstable uploads while we are at it.

Ack, that's perfectly fine!

> Current (untested) diff would be:
>
> https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/commit/3812674370c07c708744c0d1d497583dffa3d665

I'll have a look tomorrow.

Cheers,
Moritz