From: Narpat Mali <narpat.m...@windriver.com> A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID -6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download. vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31 e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .
References: https://nvd.nist.gov/vuln/detail/CVE-2023-20900 https://security-tracker.debian.org/tracker/CVE-2023-20900 Signed-off-by: Narpat Mali <narpat.m...@windriver.com> --- .../open-vm-tools/CVE-2023-20900.patch | 36 +++++++++++++++++++ .../open-vm-tools/open-vm-tools_11.3.5.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20900.patch diff --git a/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20900.patch b/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20900.patch new file mode 100644 index 0000000000..1b51e500aa --- /dev/null +++ b/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20900.patch @@ -0,0 +1,36 @@ +From 108d81c70d0a6792847051d121a660ef3511517d Mon Sep 17 00:00:00 2001 +From: Katy Feng <fk...@vmware.com> +Date: Fri, 22 Sep 2023 10:15:58 +0000 +Subject: [PATCH] Allow only X509 certs to verify the SAML token signature. + +CVE: CVE-2023-20900 + +Upstream-Status: Backport [https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16] + +Signed-off-by: Narpat Mali <narpat.m...@windriver.com> +--- + open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +index aaa5082a..ad8fe304 100644 +--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c ++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +@@ -1273,7 +1273,14 @@ VerifySignature(xmlDocPtr doc, + */ + bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); + if (bRet == FALSE) { +- g_warning("failed to register ID\n"); ++ g_warning("Failed to register ID\n"); ++ goto done; ++ } ++ ++ /* Use only X509 certs to validate the signature */ ++ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), ++ BAD_CAST xmlSecKeyDataX509Id) < 0) { ++ g_warning("Failed to limit allowed key data\n"); + goto done; + } + +-- +2.40.0 diff --git a/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb b/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb index 4670a85a67..cf3af007b9 100644 --- a/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb +++ b/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb @@ -45,6 +45,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=maste file://0002-hgfsServerLinux-Consider-64bit-time_t-possibility.patch;patchdir=.. \ file://0001-open-vm-tools-Correct-include-path-for-poll.h.patch;patchdir=.. \ file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ + file://CVE-2023-20900.patch;patchdir=.. \ " UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)" -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#105059): https://lists.openembedded.org/g/openembedded-devel/message/105059 Mute This Topic: https://lists.openembedded.org/mt/101519654/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-