June 14, 2023

VMware has addressed a zero-day vulnerability in VMware Tools that has been actively exploited.

Exploitation of this vulnerability enables attackers to bypass authentication and execute privileged commands on guest virtual machines running Windows, Linux, and PhotonOS (vCenter). This can occur without leaving any trace or logs of the malicious activity within the VMware environments.

The Vulnerability

• CVE-2023-20867 – Authentication Bypass vulnerability in VMware Tools Vgauth module. This vulnerability can be exploited by a threat actor who already has root access to the ESXi host. It can possibly force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.

Affected Linux-Kernel Versions

• VMware Tools versions 12.x.x, 11.x.x, 10.3.x

Mitigation

CYREBRO urges all clients to update their VMware tools to 12.2.5 version.

References: VMware Advisory