Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Oct 2023 03:48:14 +0200
From: Solar Designer <>
Cc: VMware Security Response Center <>
Subject: CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module


This was brought to linux-distros on June 6 with "scheduled public
disclosure on June 13th, 2023."  There's a VMware security advisory that
says it was published on that date:

and patches are available at:

but the issue was wrongly never brought to oss-security (or at least I
couldn't find it) - so I am correcting this now.

Quoting from the linux-distros message:

> Description
> ==============================================================
> CVE-2023-20867: VMware Tools contains an Authentication Bypass
> vulnerability in the vgauth module. VMware has evaluated the severity
> of this issue to be in the Low severity range with a maximum CVSSv3.1
> base score of 3.9 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N.
> Known Attack Vectors
> ==============================================================
> A fully compromised ESXi host can force VMware Tools to fail to
> authenticate host-to-guest operations, impacting the confidentiality
> and integrity of the virtual machine.

Quoting from the GitHub URL above:

> The issue has been fixed in the open-vm-tools version 12.2.5 released on
> June 13, 2023.
> The following patch provided to the open-vm-tools community can be used
> to apply the security fix to previous open-vm-tools releases.
> For releases 12.2.0, 12.1.5, 12.1.0, 12.0.5, 12.0.0, 11.3.5, 11.3.0
>     2023-20867-Remove-some-dead-code.patch
> For releases 11.1.0, 11.1.5, 11.2.0, 11.2.5
>     2023-20867-Remove-some-dead-code-1110-1125.patch
> For releases 11.0.0, 11.0.5
>     2023-20867-Remove-some-dead-code-1100-1105.patch
> For releases 10.3.0, 10.3.5, 10.3.10
>     2023-20867-Remove-some-dead-code-1030-10310.patch
> The patches have been tested against the above open-vm-tools releases.
> Each applies cleanly with:
> git am        for a git repository.
> patch -p2     in the top directory of an open-vm-tools source tree.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.