GHSL-2023-138: SAML token signature bypass in VMware Tools - CVE-2023-20900

Coordinated Disclosure Timeline

• 2023-06-16: Sent report to VMware.
• 2023-06-16: VMware confirmed receiving the report.
• 2023-06-28: Additional inquiry from VMware.
• 2023-08-31: Security advisory was published by VMware as VMSA-2023-0019 / CVE-2023-20900.

Summary

A SAML authentication bypass vulnerability was found in the vgauth module of the VMware tools (open-vm-tools).

Product

VMware Tools and open-vm-tools

Tested Version

v12.2.5

Details

Authentication bypass (GHSL-2023-138)

A SAML authentication bypass vulnerability was found in the vgauth module of VMware Tools that allows an attacker in a privileged position to sign any SAML assertions with their own key. This is due to how vgauth uses the libxmlsecurity library to verify the signature of a SAML token. When libxmlsecurity is used in combination with a key manager the origin of the public key for the signature verification is, unfortunately, not restricted by default. That means an attacker can sign the SAML assertions themselves and provide the required public key (e.g. an RSA key) directly embedded in the SAML token.

Log entries of a failed authentication attempt

A successful authentication attempt with SAML token that was signed by an attacker seems to be indistinguishable from an authentication attempt with a token that was signed with the originally intended private key. A failed authentication attempt with a potentially forged token might however leave logs like this in the vgauthsvc.log log file on the guest VM:

[2023-09-09T17:17:17.123Z] [ warning] [VGAuthService] XML Error: func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=368:obj=rsa-sha256:subj=unknown:error=18:data do not match:details=EVP_VerifyFinal: signature does not verify
[2023-09-09T17:17:17.123Z] [ warning] [VGAuthService] VerifySignature: Signature is invalid (got 2)

Impact

The VMware advisory contains following notes regarding the attack vector:

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

CVE

• CVE-2023-20900

Credit

This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-138 in any communication regarding this issue.