Aylin Sali
In this article:

VMware addressed a major vulnerability, CVE-2023-20900, in their advisory VMSA-2023-0019. This vulnerability revolves around SAML token signature validation in VMware Tools. In this article, we'll dive deep into the nature of this vulnerability, its implications, and response.

What are VMware Tools Guest Operations, and why authenticate using SAML?

VMware Tools Guest Operations provides a robust suite of utilities to streamline the management of virtual machines. From executing commands directly within the guest OS to transferring files and gathering critical system information, VMTG operations elevate automation, diagnostics, and consistent VM management.

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties. It's commonly used to enable Single Sign-On (SSO), allowing users to authenticate once and gain access to multiple applications.

Using SAML for authentication to VMTG offers signed and encrypted tokens, seamless single sign-on (SSO) capabilities across VMs, centralized auditing, and granular access controls. This combination ensures a balanced blend of efficiency, security, and scalability for administrators in complex virtualized landscapes.

The Vulnerability: CVE-2023-20900

At its core, CVE-2023-20900 is about the improper validation of SAML token signatures in VMware Tools. Ideally, digital signatures in SAML tokens ensure that the token hasn't been tampered with and originates from a legitimate identity provider. However, if the validation process isn't robust, attackers could potentially forge or manipulate these tokens, leading to unauthorized access or other security breaches.

The Nature of the Attack

"A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias."

In essence, if an actor has been granted Guest Operation Privileges to a VM, they might leverage a more privileged Guest Alias within that VM to escalate their rights. An Alias here refers to a set of permissions granted to a user or group. So, if a VM has been assigned a more privileged alias, this can act as a potential pathway for the malicious actor.

Changes in VMware Tools Code

To address this vulnerability, VMware introduced a change in the code to enforce strict validation of signatures using X509 certificates. Here's the critical code snippet:

/* Use only X509 certs to validate the signature */
if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
                        BAD_CAST xmlSecKeyDataX509Id) < 0) {
    g_warning("Failed to limit allowed key data\n");

This change ensures that only X509 certificates are used for verifying SAML token signatures, a move that significantly bolsters the security of the SAML authentication process in VMware Tools.

Implications and Recommendations

To remediate and avoid exposure to CVE-2023-20900 apply the VMware Tools patches listed below:

Windows: 12.3.0
Linux: 10.3.26
Linux (open-vm-tools): 12.3.0

How Runecast protects against VMSA-2023-0019

Within hours of the VMSA being published, Runecast released a new set of definitions (v6.7.0.2), including this VMSA and coverage for new Linux CVEs (RHEL - 22 CVEs, Ubuntu - 79 CVEs) among other improvements.

Please update your Runecast Analyzer, analyze and check for results.

Cybersecurity is a constantly changing field, and new threats are constantly emerging. By keeping up to date with the latest intelligence, organizations can ensure that their defenses are up to date and effective against the latest threats.

Runecast helps you reduce the risk of falling victim to this kind of attack by providing:

  • The most sophisticated and complete VMware vulnerability and security hardening assessment with our patented rules engine.
  • Prioritization of vulnerabilities based on their severity levels and known exploited vulnerabilities information.
  • Fastest vulnerability and security standard release cycle thanks to the Runecast AI Knowledge Automation Platform.
  • Best time to value on the market, with 15-minute agentless deployment and results.
  • Unmatched secure deployment methods supporting air-gapped environments.
  • Remediation capabilities.

By using Runecast regularly and following its recommendations, you can:

  • Maintain a hardened configuration to reduce attack surface.
  • Save time by automating remediation.
  • Stay free of critical vulnerabilities with known exploits prioritisation.
  • Greatly reduce the risk of any malware, including ransomware, from compromising your systems.

Runecast is a powerful AI-driven platform that can help you reduce the risk of falling victim to a VMware targeted ransomware attack. While there is no solution that can guarantee 100% prevention, Runecast will give you the best chance of avoiding a costly and damaging attack.

Meet other Runecasters here:

Take Runecast for a spin

Get full protection and proactive remediation with Runecast

Get My Free Trial