Wednesday, December 6, 2023

[USN-6463-2] Open VM Tools vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEEcxdv4gCCE8W9nrt5a1+PL+d1/EgFAmVwi9QFAwAAAAAACgkQa1+PL+d1/Ehn
aQv9F2jTzFjQ4RC6O6wg0KbWinuSa3cUy3kHmsMNwBEGEmr9h7P20jX5V0v8F9TXZi4IAGzXnYqH
gAIwsc6YoQ9zzwfLdqIpM93aayar3GrlbiiT/PAxVWTs7VdvUjomtWmUU9Ax+jLd3v8D0dMedVGR
XDxSI/nb0YXvITeSIqEj4m0NjGzqQ0QuU9FVDR8lsA2j3Dm4LUClbJ3c1fc5vI5KBOjKRyc2XDY0
ZczDZzop7i0DAuxtzfPuwEJInDyi1/Lndguw26auJ1wQt0Tr88AwPdfc89JSjHdiwKiaIz5yhO3R
1nAIo22WocBPoWXaNbCC5E7gcq0gZN/4hjeEysTjZSWiJsvmEko1ts41WjNv4hJ7PEC2kl7IlMsq
EZTNpB5HaAdV03fKSz1mI8+YfcjR/UiEQVZO3vjqQuK9Nl0LEqPwQdTFzeaIsr8f2F7CXLgeIx3E
kt/0B5uZnWwGf7Q8GKCqn4QipJpoLbroVegst/dAgKmYqdaZ2mQ+Z95UcgY5
=qZRZ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6463-2
December 06, 2023

open-vm-tools vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Open VM Tools.

Software Description:
- open-vm-tools: Open VMware Tools for virtual machines hosted on VMware

Details:

USN-6463-1 fixed vulnerabilities in Open VM Tools. This update provides
the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

 It was discovered that Open VM Tools incorrectly handled SAML tokens. A
 remote attacker with Guest Operations privileges could possibly use this
 issue to elevate their privileges. (CVE-2023-34058)

 Matthias Gerstner discovered that Open VM Tools incorrectly handled file
 descriptors when dropping privileges. A local attacker could possibly use
 this issue to hijack /dev/uinput and simulate user inputs.
 (CVE-2023-34059)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  open-vm-tools                   2:11.0.5-4ubuntu0.18.04.3+esm3
  open-vm-tools-desktop     2:11.0.5-4ubuntu0.18.04.3+esm3

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  open-vm-tools                   2:10.2.0-3~ubuntu0.16.04.1+esm4
  open-vm-tools-desktop     2:10.2.0-3~ubuntu0.16.04.1+esm4

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6463-2
  https://ubuntu.com/security/notices/USN-6463-1
  CVE-2023-34058, CVE-2023-34059

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)