oss-sec mailing list archives
CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools
From: VMware Security Response Center <security () vmware com>
Date: Fri, 27 Oct 2023 03:43:46 +0000
Description ============================================================== CVE-2023-34059: open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.4. - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Known Attack Vectors ============================================================== A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs. Acknowledgement ============================================================== VMware would like to thank Matthias Gerstner of the SUSE Linux Security Team for reporting this vulnerability to us. Remediation ============================================================== The following patch is provided for all open-vm-tools releases 11.0.0 through 12.3.0 https://github.com/vmware/open-vm-tools/blob/CVE-2023-34059.patch/CVE-2023-34059.patch The patches have been tested against the above open-vm-tools releases. Each applies cleanly with: git am for a git repository. patch -p2 in the top directory of an open-vm-tools source tree. -------------- Edward Hawkins Staff-2 Technical Program Manager security () vmware com<mailto:security () vmware com>
Current thread:
- CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools VMware Security Response Center (Oct 27)
- Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools Matthias Gerstner (Oct 27)
- Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools John Helmert III (Nov 26)
- Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools Matthias Gerstner (Nov 27)
- Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools John Helmert III (Nov 26)
- Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools Matthias Gerstner (Oct 27)