File Descriptor Hijack Vulnerability in Open-vm-tools by VMware
CVE-2023-34059

7HIGH

Key Information:

Vendor: Vmware
Status: open-vm-tools
Vendor: CVE Published:; 27 October 2023

Summary

The open-vm-tools package contains a potential vulnerability within the vmware-user-suid-wrapper component. A threat actor with non-root privileges may exploit this vulnerability to intercept and manipulate the /dev/uinput file descriptor, thereby simulating user inputs. This could lead to malicious control over the host environment, allowing unauthorized actions and user impersonations.

Affected Version(s)

open-vm-tools Linux 11.0.0 <= 12.3.0

References

https://www.vmware.com/security/advisories/VMSA-2023-0024...

http://www.openwall.com/lists/oss-security/2023/10/27/3

http://www.openwall.com/lists/oss-security/2023/10/27/2

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 27, 2023
Vulnerability Reserved
May 25, 2023