diff options
| author | Narpat Mali <narpat.mali@windriver.com> | 2023-09-22 12:11:26 +0000 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-11-14 18:44:48 -0500 |
| commit | 0b1520a35c07ac98ce353605626b615dec2eedce (patch) | |
| tree | 18b3d4fa1bb4849f26d17f69de011708c95eec69 /meta-networking | |
| parent | 7da6cb848bc42b3e6bd5d2b37b52ba75510a6ca0 (diff) | |
| download | meta-openembedded-0b1520a35c07ac98ce353605626b615dec2eedce.tar.gz | |
open-vm-tools: fix CVE-2023-20900
A malicious actor that has been granted Guest Operation Privileges
https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID
-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine
may be able to elevate their privileges if that target virtual machine
has been assigned a more privileged Guest Alias https://vdc-download.
vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31
e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-20900
https://security-tracker.debian.org/tracker/CVE-2023-20900
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
[Minor fixup]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking')
| -rw-r--r-- | meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20900.patch | 36 | ||||
| -rw-r--r-- | meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb | 1 |
2 files changed, 37 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20900.patch b/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20900.patch new file mode 100644 index 0000000000..1b51e500aa --- /dev/null +++ b/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20900.patch | |||
| @@ -0,0 +1,36 @@ | |||
| 1 | From 108d81c70d0a6792847051d121a660ef3511517d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Katy Feng <fkaty@vmware.com> | ||
| 3 | Date: Fri, 22 Sep 2023 10:15:58 +0000 | ||
| 4 | Subject: [PATCH] Allow only X509 certs to verify the SAML token signature. | ||
| 5 | |||
| 6 | CVE: CVE-2023-20900 | ||
| 7 | |||
| 8 | Upstream-Status: Backport [https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16] | ||
| 9 | |||
| 10 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
| 11 | --- | ||
| 12 | open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- | ||
| 13 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
| 14 | |||
| 15 | diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | ||
| 16 | index aaa5082a..ad8fe304 100644 | ||
| 17 | --- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | ||
| 18 | +++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | ||
| 19 | @@ -1273,7 +1273,14 @@ VerifySignature(xmlDocPtr doc, | ||
| 20 | */ | ||
| 21 | bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); | ||
| 22 | if (bRet == FALSE) { | ||
| 23 | - g_warning("failed to register ID\n"); | ||
| 24 | + g_warning("Failed to register ID\n"); | ||
| 25 | + goto done; | ||
| 26 | + } | ||
| 27 | + | ||
| 28 | + /* Use only X509 certs to validate the signature */ | ||
| 29 | + if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), | ||
| 30 | + BAD_CAST xmlSecKeyDataX509Id) < 0) { | ||
| 31 | + g_warning("Failed to limit allowed key data\n"); | ||
| 32 | goto done; | ||
| 33 | } | ||
| 34 | |||
| 35 | -- | ||
| 36 | 2.40.0 | ||
diff --git a/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb b/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb index c80827a992..bac9b694df 100644 --- a/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb +++ b/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb | |||
| @@ -46,6 +46,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=maste | |||
| 46 | file://0001-open-vm-tools-Correct-include-path-for-poll.h.patch;patchdir=.. \ | 46 | file://0001-open-vm-tools-Correct-include-path-for-poll.h.patch;patchdir=.. \ |
| 47 | file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ | 47 | file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ |
| 48 | file://CVE-2023-20867.patch;patchdir=.. \ | 48 | file://CVE-2023-20867.patch;patchdir=.. \ |
| 49 | file://CVE-2023-20900.patch;patchdir=.. \ | ||
| 49 | " | 50 | " |
| 50 | 51 | ||
| 51 | UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)" | 52 | UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)" |
