Vmware Privileged Guest Operations Vulnerability

Vmware Privileged Guest Operations Vulnerability

According to the vulnerability report that is published on 13th of June; a fully compromised ESXI Host may force VMware Tools to fail to authenticate host-to-guest operations, negatively impacting the confidentiality and integrity of the guest virtual machine. (CVE-2023-20867) , (CVE-2022-22948)

Steps of Attack:

• Attacker gains privileged access on Vcenter
• Attacker retrieves 'vpxuser' ID Information on Vcenter
• Accessing to the ESXI Hosts with the retrieved user information
• Deployment of malicious VIB (vSphere Installation Bundle) on ESXI Host
• Installing backdoors by using VIRTUALPITA and VIRTUALPIE
• Running unauthenticated commands on the guest VM’s by using the compromised ESXI Hosts indicated on vulnerability with CVE-2023-20867.

Affected Systems

The vulnerability that causes the encrypted "vpxuser" credentials to be obtained in clear text format (Vmware vCenter Server 6.5/6.7/.70 versions) and the vulnerability with CVE-2022-22948 are affected. VMware center server 6.5/6.7/7.0 versions:

IoC’s

-

Recommended Solution(s)

It is recommentded to patch the affected versions if there are Vcenter in the versions specified, in the virtualization environment.

Mitigations

VMware recommends the update of vulnerability (CVE-2023-20862) that enables remote code execution on Vmware tools and make the necessary consolidations in virtualization environments within the documentation they have published;

CVE / CWE

CVE-2023-20867, CVE-2022-22948

Related Website(s)

• https://nvd.nist.gov/vuln/detail/CVE-2023-20867
• https://www.vmware.com/security/advisories/VMSA-2023-0013.html
• https://nvd.nist.gov/vuln/detail/CVE-2022-22948
• https://www.vmware.com/security/advisories/VMSA-2022-0009.html

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.