Über die SAML-basierte Sicherheitslücke in VMware: CVE-2023-20900

VMware addressed a major vulnerability, CVE-2023-20900, in their advisory VMSA-2023-0019. This vulnerability revolves around SAML token signature validation in VMware Tools. In this article, we'll dive deep into the nature of this vulnerability, its implications, and response.

‍

What are VMware Tools Guest Operations, and why authenticate using SAML?

VMware Tools Guest Operations provides a robust suite of utilities to streamline the management of virtual machines. From executing commands directly within the guest OS to transferring files and gathering critical system information, VMTG operations elevate automation, diagnostics, and consistent VM management.

‍

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties. It's commonly used to enable Single Sign-On (SSO), allowing users to authenticate once and gain access to multiple applications.

‍

Using SAML for authentication to VMTG offers signed and encrypted tokens, seamless single sign-on (SSO) capabilities across VMs, centralized auditing, and granular access controls. This combination ensures a balanced blend of efficiency, security, and scalability for administrators in complex virtualized landscapes.

The Vulnerability: CVE-2023-20900

At its core, CVE-2023-20900 is about the improper validation of SAML token signatures in VMware Tools. Ideally, digital signatures in SAML tokens ensure that the token hasn't been tampered with and originates from a legitimate identity provider. However, if the validation process isn't robust, attackers could potentially forge or manipulate these tokens, leading to unauthorized access or other security breaches.

The Nature of the Attack

"A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias."

In essence, if an actor has been granted Guest Operation Privileges to a VM, they might leverage a more privileged Guest Alias within that VM to escalate their rights. An Alias here refers to a set of permissions granted to a user or group. So, if a VM has been assigned a more privileged alias, this can act as a potential pathway for the malicious actor.

‍

‍Changes in VMware Tools Code

To address this vulnerability, VMware introduced a change in the code to enforce strict validation of signatures using X509 certificates. Here's the critical code snippet:

/* Use only X509 certs to validate the signature */
if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
                        BAD_CAST xmlSecKeyDataX509Id) < 0) {
    g_warning("Failed to limit allowed key data\n");
}

‍

This change ensures that only X509 certificates are used for verifying SAML token signatures, a move that significantly bolsters the security of the SAML authentication process in VMware Tools.

Implications and Recommendations

To remediate and avoid exposure to CVE-2023-20900 apply the VMware Tools patches listed below:

Windows: 12.3.0
Linux: 10.3.26
Linux (open-vm-tools): 12.3.0

‍

How Runecast protects against VMSA-2023-0019

Within hours of the VMSA being published, Runecast released a new set of definitions (v6.7.0.2), including this VMSA and coverage for new Linux CVEs (RHEL - 22 CVEs, Ubuntu - 79 CVEs) among other improvements.

Please update your Runecast Analyzer, analyze and check for results.

‍

Cybersecurity is a constantly changing field, and new threats are constantly emerging. By keeping up to date with the latest intelligence, organizations can ensure that their defenses are up to date and effective against the latest threats.

‍

‍

Runecast hilft Ihnen, das Risiko, Opfer dieser Art von Angriffen zu werden, zu verringern:

• Die anspruchsvollste und vollständigste VMware-Schwachstellen- und Sicherheitsbewertung mit unserer patentierten Regel-Engine.
• Prioritization of vulnerabilities based on their severity levels and known exploited vulnerabilities information.
• Schnellster Release-Zyklus für Schwachstellen und Sicherheitsstandards dank der Runecast AI Knowledge Automation Platform.
• Bestes Preis-Leistungs-Verhältnis auf dem Markt, mit 15-minütiger agentenloser Bereitstellung und Ergebnissen.
• Unübertroffen sichere Bereitstellungsmethoden, die Umgebungen mit Luftabdeckung unterstützen.
• Sanierungsmöglichkeiten.

‍

Wenn Sie Runecast regelmäßig nutzen und die Empfehlungen befolgen, können Sie das:

• Behalten Sie eine abgesicherte Konfiguration bei, um die Angriffsfläche zu verringern.
• Sparen Sie Zeit durch die Automatisierung von Abhilfemaßnahmen.
• Bleiben Sie frei von kritischen Schwachstellen mit der Priorisierung bekannter Exploits.
• Verringern Sie das Risiko, dass Malware, einschließlich Ransomware, Ihre Systeme kompromittiert, erheblich.

‍

Runecast ist eine leistungsstarke, KI-gesteuerte Plattform, die Ihnen dabei helfen kann, das Risiko zu verringern, Opfer eines VMware-Ransomware-Angriffs zu werden. Es gibt zwar keine Lösung, die eine 100-prozentige Vorbeugung garantieren kann, aber Runecast gibt Ihnen die beste Chance, einen kostspieligen und schädlichen Angriff zu vermeiden.

‍