Bug#1054666: open-vm-tools: CVE-2023-34059 CVE-2023-34058

[Moritz Muehlenhoff]

On Tue, Oct 31, 2023 at 10:29:55AM +0100, Bernd Zeimetz wrote:
> 
> Both uploaded!

DSA has been released, thanks!

Cheers,
Moritz

Bug#1054666: open-vm-tools: CVE-2023-34059 CVE-2023-34058

[Bernd Zeimetz]

On Mon, 2023-10-30 at 22:50 +0100, Moritz Muehlenhoff wrote:
> On Mon, Oct 30, 2023 at 07:09:53PM +0100, Bernd Zeimetz wrote:
> > Hi Moritz,
> > 
> > as usual, stable/oldstable updates prepared, diffs are attached to
> > this
> > mail as salsa seems to have some issues right now.
> > 
> > https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/ -
> > bookworm/bullseye branches are actually there.
> > 
> > Please let me know if/when I can upload.
> 
> Thanks, these look fine, please upload to security-master.
> 

Both uploaded!

Thanks,

Bernd


-- 
 Bernd ZeimetzDebian GNU/Linux Developer
 http://bzed.dehttp://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Bug#1054666: open-vm-tools: CVE-2023-34059 CVE-2023-34058

[Moritz Muehlenhoff]

On Mon, Oct 30, 2023 at 07:09:53PM +0100, Bernd Zeimetz wrote:
> Hi Moritz,
> 
> as usual, stable/oldstable updates prepared, diffs are attached to this
> mail as salsa seems to have some issues right now.
> 
> https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/ -
> bookworm/bullseye branches are actually there.
> 
> Please let me know if/when I can upload.

Thanks, these look fine, please upload to security-master.

Cheers,
Moritz

Bug#1054666: open-vm-tools: CVE-2023-34059 CVE-2023-34058

[Bernd Zeimetz]

Hi Moritz,

as usual, stable/oldstable updates prepared, diffs are attached to this
mail as salsa seems to have some issues right now.

https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/ -
bookworm/bullseye branches are actually there.

Please let me know if/when I can upload.

Thanks,

Bernd


-- 
 Bernd ZeimetzDebian GNU/Linux Developer
 http://bzed.dehttp://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

diff --git a/debian/changelog b/debian/changelog
index a68092c65..b550b2ff4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+open-vm-tools (2:12.2.0-1+deb12u2) bookworm-security; urgency=medium
+
+  * Closes:  #1054666
+  * [81326c8] Fixing CVE-2023-34059.
+This fixes a file descriptor hijack vulnerability in the vmware-user-suid-wrapper
+command.  A malicious actor with non-root privileges might have been able to hijack the
+/dev/uinput file descriptor allowing them to simulate user inputs.
+  * [95acc49] Fixing CVE-2023-34058.
+This fixes a SAML Token Signature Bypass vulnerability. A malicious actor
+that has been granted Guest Operation Privileges in a target virtual
+machine might have been able to elevate their privileges if that target
+virtual machine has been assigned a more privileged Guest Alias.
+
+ -- Bernd Zeimetz   Mon, 30 Oct 2023 17:59:25 +0100
+
 open-vm-tools (2:12.2.0-1+deb12u1) bookworm-security; urgency=medium
 
   * [3812674] Fixing CVE-2023-20867, CVE-2023-20900
diff --git a/debian/patches/CVE-2023-34058.patch b/debian/patches/CVE-2023-34058.patch
new file mode 100644
index 0..79cea095c
--- /dev/null
+++ b/debian/patches/CVE-2023-34058.patch
@@ -0,0 +1,234 @@
+From 6822b5a84f8cfa60d46479d6b8f1c63eb85eac87 Mon Sep 17 00:00:00 2001
+From: John Wolfe 
+Date: Wed, 18 Oct 2023 09:04:07 -0700
+Subject: [PATCH] Address CVE-2023-34058
+
+VGAuth: don't accept tokens with unrelated certs.
+
+---
+ open-vm-tools/vgauth/common/certverify.c| 145 
+ open-vm-tools/vgauth/common/certverify.h|   4 +
+ open-vm-tools/vgauth/common/prefs.h |   2 +
+ open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c |  14 +++
+ 4 files changed, 165 insertions(+)
+
+Index: pkg-open-vm-tools/open-vm-tools/vgauth/common/certverify.c
+===
+--- pkg-open-vm-tools.orig/open-vm-tools/vgauth/common/certverify.c
 pkg-open-vm-tools/open-vm-tools/vgauth/common/certverify.c
+@@ -914,3 +914,148 @@ done:
+ 
+return err;
+ }
++
++
++/*
++ * Finds a cert with a subject (if checkSubj is set) or issuer (if
++ * checkSUbj is unset), matching 'val' in the list
++ * of certs.  Returns a match or NULL.
++ */
++
++static X509 *
++FindCert(GList *cList,
++ X509_NAME *val,
++ int checkSubj)
++{
++   GList *l;
++   X509 *c;
++   X509_NAME *v;
++
++   l = cList;
++   while (l != NULL) {
++  c = (X509 *) l->data;
++  if (checkSubj) {
++ v = X509_get_subject_name(c);
++  } else {
++ v = X509_get_issuer_name(c);
++  }
++  if (X509_NAME_cmp(val, v) == 0) {
++ return c;
++  }
++  l = l->next;
++   }
++   return NULL;
++}
++
++
++/*
++ **
++ * CertVerify_CheckForUnrelatedCerts --  */ /**
++ *
++ * Looks over a list of certs.  If it finds that they are not all
++ * part of the same chain, returns failure.
++ *
++ * @param[in] numCerts  The number of certs in the chain.
++ * @param[in] pemCerts  The chain of certificates to verify.
++ *
++ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found.
++ *
++ **
++ */
++
++VGAuthError
++CertVerify_CheckForUnrelatedCerts(int numCerts,
++  const char **pemCerts)
++{
++   VGAuthError err = VGAUTH_E_FAIL;
++   int chainLen = 0;
++   int i;
++   X509 **certs = NULL;
++   GList *rawList = NULL;
++   X509 *baseCert;
++   X509 *curCert;
++   X509_NAME *subject;
++   X509_NAME *issuer;
++
++   /* common single cert case; nothing to do */
++   if (numCerts == 1) {
++  return VGAUTH_E_OK;
++   }
++
++   /* convert all PEM to X509 objects */
++   certs = g_malloc0(numCerts * sizeof(X509 *));
++   for (i = 0; i < numCerts; i++) {
++  certs[i] = CertStringToX509(pemCerts[i]);
++  if (NULL == certs[i]) {
++ g_warning("%s: failed to convert cert to X509\n", __FUNCTION__);
++ goto done;
++  }
++   }
++
++   /* choose the cert to start the chain.  shouldn't matter which */
++   baseCert = certs[0];
++
++   /* put the rest into a list */
++   for (i = 1; i < numCerts; i++) {
++  rawList = g_list_append(rawList, certs[i]);
++   }
++
++   /* now chase down to a leaf, looking for certs the 

Bug#1054666: open-vm-tools: CVE-2023-34059 CVE-2023-34058

[Moritz Mühlenhoff]

Source: open-vm-tools
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for open-vm-tools.

CVE-2023-34059[0]:
| open-vm-tools contains a file descriptor hijack vulnerability in the
| vmware-user-suid-wrapper. A malicious actor with non-root privileges
| may be able to hijack the  /dev/uinput file descriptor allowing them
| to simulate user inputs.

https://www.openwall.com/lists/oss-security/2023/10/27/3

CVE-2023-34058[1]:
| VMware Tools contains a SAML token signature bypass vulnerability. A
| malicious actor that has been granted  Guest Operation Privileges
| https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-
| security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target
| virtual machine may be able to elevate their privileges if that
| target virtual machine has been assigned a more privileged  Guest
| Alias https://vdc-download.vmware.com/vmwb-repository/dcr-
| public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-
| db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .

https://www.openwall.com/lists/oss-security/2023/10/27/1
https://github.com/vmware/open-vm-tools/blob/CVE-2023-34058.patch/CVE-2023-34058.patch


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-34059
https://www.cve.org/CVERecord?id=CVE-2023-34059
[1] https://security-tracker.debian.org/tracker/CVE-2023-34058
https://www.cve.org/CVERecord?id=CVE-2023-34058

Please adjust the affected versions in the BTS as needed.