Zero-day vulnerability in VMware Tools

Improper Authentication
CVE-2023-20867

The vulnerability is known to be exploited by the UNC3886 APT actor.

Vulnerability details

Advisory: SB2023061339 - Authentication bypass in VMware Tools

Vulnerable component: VMware Tools

CVE-ID: CVE-2023-20867

CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-287 - Improper Authentication

Description:

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the vgauth module. An attacker who compromised the ESXi host can bypass authentication process and execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.

Note, the vulnerability is being actively exploited in the wild by the UNC3886 APT actor.

External links:

https://www.vmware.com/security/advisories/VMSA-2023-0013.html

https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass


About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.