diff options
author | Archana Polampalli <archana.polampalli@windriver.com> | 2023-11-14 05:50:09 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-11-14 18:49:53 -0500 |
commit | 65cacf82582e527d42849c6dcb7eb4c9340ee833 (patch) | |
tree | 6408d8938091d275c61da8336ae1812bbd3b3a92 | |
parent | 0b1520a35c07ac98ce353605626b615dec2eedce (diff) | |
download | meta-openembedded-65cacf82582e527d42849c6dcb7eb4c9340ee833.tar.gz |
open-vm-tools: fix CVE-2023-34058
A flaw was found in open-vm-tools. This flaw allows a malicious actor that
has been granted Guest Operation Privileges in a target virtual machine to
elevate their privileges if that target virtual machine has been assigned
a more privileged Guest Alias.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-34058
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
[minor fixup]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-34058.patch | 241 | ||||
-rw-r--r-- | meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb | 1 |
2 files changed, 242 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-34058.patch b/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-34058.patch new file mode 100644 index 000000000..d24dd3695 --- /dev/null +++ b/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-34058.patch | |||
@@ -0,0 +1,241 @@ | |||
1 | From 6822b5a84f8cfa60d46479d6b8f1c63eb85eac87 Mon Sep 17 00:00:00 2001 | ||
2 | From: John Wolfe <jwolfe@vmware.com> | ||
3 | Date: Wed, 18 Oct 2023 09:04:07 -0700 | ||
4 | Subject: [PATCH] Address CVE-2023-34058 | ||
5 | |||
6 | VGAuth: don't accept tokens with unrelated certs. | ||
7 | |||
8 | CVE: CVE-2023-34058 | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/vmware/open-vm-tools/commit/e5be40b9cc025d03ccd5689ef9192d29abd68bfe] | ||
11 | |||
12 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
13 | --- | ||
14 | open-vm-tools/vgauth/common/certverify.c | 145 ++++++++++++++++++ | ||
15 | open-vm-tools/vgauth/common/certverify.h | 4 + | ||
16 | open-vm-tools/vgauth/common/prefs.h | 2 + | ||
17 | .../vgauth/serviceImpl/saml-xmlsec1.c | 14 ++ | ||
18 | 4 files changed, 165 insertions(+) | ||
19 | |||
20 | diff --git a/open-vm-tools/vgauth/common/certverify.c b/open-vm-tools/vgauth/common/certverify.c | ||
21 | index edf54928..29b12df3 100644 | ||
22 | --- a/open-vm-tools/vgauth/common/certverify.c | ||
23 | +++ b/open-vm-tools/vgauth/common/certverify.c | ||
24 | @@ -893,3 +893,148 @@ done: | ||
25 | |||
26 | return err; | ||
27 | } | ||
28 | + | ||
29 | + | ||
30 | +/* | ||
31 | + * Finds a cert with a subject (if checkSubj is set) or issuer (if | ||
32 | + * checkSUbj is unset), matching 'val' in the list | ||
33 | + * of certs. Returns a match or NULL. | ||
34 | + */ | ||
35 | + | ||
36 | +static X509 * | ||
37 | +FindCert(GList *cList, | ||
38 | + X509_NAME *val, | ||
39 | + int checkSubj) | ||
40 | +{ | ||
41 | + GList *l; | ||
42 | + X509 *c; | ||
43 | + X509_NAME *v; | ||
44 | + | ||
45 | + l = cList; | ||
46 | + while (l != NULL) { | ||
47 | + c = (X509 *) l->data; | ||
48 | + if (checkSubj) { | ||
49 | + v = X509_get_subject_name(c); | ||
50 | + } else { | ||
51 | + v = X509_get_issuer_name(c); | ||
52 | + } | ||
53 | + if (X509_NAME_cmp(val, v) == 0) { | ||
54 | + return c; | ||
55 | + } | ||
56 | + l = l->next; | ||
57 | + } | ||
58 | + return NULL; | ||
59 | +} | ||
60 | + | ||
61 | + | ||
62 | +/* | ||
63 | + ****************************************************************************** | ||
64 | + * CertVerify_CheckForUnrelatedCerts -- */ /** | ||
65 | + * | ||
66 | + * Looks over a list of certs. If it finds that they are not all | ||
67 | + * part of the same chain, returns failure. | ||
68 | + * | ||
69 | + * @param[in] numCerts The number of certs in the chain. | ||
70 | + * @param[in] pemCerts The chain of certificates to verify. | ||
71 | + * | ||
72 | + * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found. | ||
73 | + * | ||
74 | + ****************************************************************************** | ||
75 | + */ | ||
76 | + | ||
77 | +VGAuthError | ||
78 | +CertVerify_CheckForUnrelatedCerts(int numCerts, | ||
79 | + const char **pemCerts) | ||
80 | +{ | ||
81 | + VGAuthError err = VGAUTH_E_FAIL; | ||
82 | + int chainLen = 0; | ||
83 | + int i; | ||
84 | + X509 **certs = NULL; | ||
85 | + GList *rawList = NULL; | ||
86 | + X509 *baseCert; | ||
87 | + X509 *curCert; | ||
88 | + X509_NAME *subject; | ||
89 | + X509_NAME *issuer; | ||
90 | + | ||
91 | + /* common single cert case; nothing to do */ | ||
92 | + if (numCerts == 1) { | ||
93 | + return VGAUTH_E_OK; | ||
94 | + } | ||
95 | + | ||
96 | + /* convert all PEM to X509 objects */ | ||
97 | + certs = g_malloc0(numCerts * sizeof(X509 *)); | ||
98 | + for (i = 0; i < numCerts; i++) { | ||
99 | + certs[i] = CertStringToX509(pemCerts[i]); | ||
100 | + if (NULL == certs[i]) { | ||
101 | + g_warning("%s: failed to convert cert to X509\n", __FUNCTION__); | ||
102 | + goto done; | ||
103 | + } | ||
104 | + } | ||
105 | + | ||
106 | + /* choose the cert to start the chain. shouldn't matter which */ | ||
107 | + baseCert = certs[0]; | ||
108 | + | ||
109 | + /* put the rest into a list */ | ||
110 | + for (i = 1; i < numCerts; i++) { | ||
111 | + rawList = g_list_append(rawList, certs[i]); | ||
112 | + } | ||
113 | + | ||
114 | + /* now chase down to a leaf, looking for certs the baseCert issued */ | ||
115 | + subject = X509_get_subject_name(baseCert); | ||
116 | + while ((curCert = FindCert(rawList, subject, 0)) != NULL) { | ||
117 | + /* pull it from the list */ | ||
118 | + rawList = g_list_remove(rawList, curCert); | ||
119 | + /* set up the next find */ | ||
120 | + subject = X509_get_subject_name(curCert); | ||
121 | + } | ||
122 | + | ||
123 | + /* | ||
124 | + * walk up to the root cert, by finding a cert where the | ||
125 | + * issuer equals the subject of the current | ||
126 | + */ | ||
127 | + issuer = X509_get_issuer_name(baseCert); | ||
128 | + while ((curCert = FindCert(rawList, issuer, 1)) != NULL) { | ||
129 | + /* pull it from the list */ | ||
130 | + rawList = g_list_remove(rawList, curCert); | ||
131 | + /* set up the next find */ | ||
132 | + issuer = X509_get_issuer_name(curCert); | ||
133 | + } | ||
134 | + | ||
135 | + /* | ||
136 | + * At this point, anything on the list should be certs that are not part | ||
137 | + * of the chain that includes the original 'baseCert'. | ||
138 | + * | ||
139 | + * For a valid token, the list should be empty. | ||
140 | + */ | ||
141 | + chainLen = g_list_length(rawList); | ||
142 | + if (chainLen != 0 ) { | ||
143 | + GList *l; | ||
144 | + | ||
145 | + g_warning("%s: %d unrelated certs found in list\n", | ||
146 | + __FUNCTION__, chainLen); | ||
147 | + | ||
148 | + /* debug helper */ | ||
149 | + l = rawList; | ||
150 | + while (l != NULL) { | ||
151 | + X509* c = (X509 *) l->data; | ||
152 | + char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0); | ||
153 | + | ||
154 | + g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s); | ||
155 | + free(s); | ||
156 | + l = l->next; | ||
157 | + } | ||
158 | + | ||
159 | + goto done; | ||
160 | + } | ||
161 | + | ||
162 | + g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__); | ||
163 | + err = VGAUTH_E_OK; | ||
164 | + | ||
165 | +done: | ||
166 | + g_list_free(rawList); | ||
167 | + for (i = 0; i < numCerts; i++) { | ||
168 | + X509_free(certs[i]); | ||
169 | + } | ||
170 | + g_free(certs); | ||
171 | + return err; | ||
172 | +} | ||
173 | diff --git a/open-vm-tools/vgauth/common/certverify.h b/open-vm-tools/vgauth/common/certverify.h | ||
174 | index d7c6410b..f582bb82 100644 | ||
175 | --- a/open-vm-tools/vgauth/common/certverify.h | ||
176 | +++ b/open-vm-tools/vgauth/common/certverify.h | ||
177 | @@ -67,6 +67,10 @@ VGAuthError CertVerify_CheckSignatureUsingCert(VGAuthHashAlg hash, | ||
178 | size_t signatureLen, | ||
179 | const unsigned char *signature); | ||
180 | |||
181 | + | ||
182 | +VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts, | ||
183 | + const char **pemCerts); | ||
184 | + | ||
185 | gchar * CertVerify_StripPEMCert(const gchar *pemCert); | ||
186 | |||
187 | gchar * CertVerify_CertToX509String(const gchar *pemCert); | ||
188 | diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h | ||
189 | index ff116928..87ccc9b3 100644 | ||
190 | --- a/open-vm-tools/vgauth/common/prefs.h | ||
191 | +++ b/open-vm-tools/vgauth/common/prefs.h | ||
192 | @@ -136,6 +136,8 @@ msgCatalog = /etc/vmware-tools/vgauth/messages | ||
193 | #define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir" | ||
194 | /** The number of seconds slack allowed in either direction in SAML token date checks. */ | ||
195 | #define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment" | ||
196 | +/** If unrelated certificates are allowed in a SAML token */ | ||
197 | +#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts" | ||
198 | |||
199 | /** Ticket group name. */ | ||
200 | #define VGAUTH_PREF_GROUP_NAME_TICKET "ticket" | ||
201 | diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | ||
202 | index aaa5082a..17b56de9 100644 | ||
203 | --- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | ||
204 | +++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | ||
205 | @@ -47,6 +47,7 @@ | ||
206 | #include "vmxlog.h" | ||
207 | |||
208 | static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS; | ||
209 | +static gboolean gAllowUnrelatedCerts = FALSE; | ||
210 | static xmlSchemaPtr gParsedSchemas = NULL; | ||
211 | static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL; | ||
212 | |||
213 | @@ -313,6 +314,10 @@ LoadPrefs(void) | ||
214 | VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS); | ||
215 | Log("%s: Allowing %d of clock skew for SAML date validation\n", | ||
216 | __FUNCTION__, gClockSkewAdjustment); | ||
217 | + gAllowUnrelatedCerts = Pref_GetBool(gPrefs, | ||
218 | + VGAUTH_PREF_ALLOW_UNRELATED_CERTS, | ||
219 | + VGAUTH_PREF_GROUP_NAME_SERVICE, | ||
220 | + FALSE); | ||
221 | } | ||
222 | |||
223 | |||
224 | @@ -1526,6 +1531,15 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText, | ||
225 | if (FALSE == bRet) { | ||
226 | return VGAUTH_E_AUTHENTICATION_DENIED; | ||
227 | } | ||
228 | + if (!gAllowUnrelatedCerts) { | ||
229 | + err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain); | ||
230 | + if (err != VGAUTH_E_OK) { | ||
231 | + VMXLog_Log(VMXLOG_LEVEL_WARNING, | ||
232 | + "Unrelated certs found in SAML token, failing\n"); | ||
233 | + return VGAUTH_E_AUTHENTICATION_DENIED; | ||
234 | + } | ||
235 | + } | ||
236 | + | ||
237 | |||
238 | subj.type = SUBJECT_TYPE_NAMED; | ||
239 | subj.name = *subjNameOut; | ||
240 | -- | ||
241 | 2.40.0 | ||
diff --git a/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb b/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb index bac9b694d..c54fd4de4 100644 --- a/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb +++ b/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb | |||
@@ -47,6 +47,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=maste | |||
47 | file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ | 47 | file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ |
48 | file://CVE-2023-20867.patch;patchdir=.. \ | 48 | file://CVE-2023-20867.patch;patchdir=.. \ |
49 | file://CVE-2023-20900.patch;patchdir=.. \ | 49 | file://CVE-2023-20900.patch;patchdir=.. \ |
50 | file://CVE-2023-34058.patch;patchdir=.. \ | ||
50 | " | 51 | " |
51 | 52 | ||
52 | UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)" | 53 | UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)" |