Hackers Launch MiTM Attack to Bypass VMware Tools SAML

VMware Tools SAML

VMware has been reported with a SAML token signature bypass vulnerability, which a threat actor can exploit to perform VMware Guest operations. CVE ID has been assigned for this vulnerability, and the severity was mentioned as 7.5 (High).

VMware tools are a set of modules and services for enabling several services in VMware products, which help better manage guest operating systems and flawless user interactions between the host and the guest operating system. VMware tools also can pass messages from the Host to the Guest operating system.

However, VMware has released a security advisory for addressing this vulnerability.

An attacker with a man-in-the-middle (MITM) network positioning between the vCenter server and the virtual machine can bypass the SAML token signature verification and exploit this vulnerability to perform VMware guest operations. The CVSS score for this vulnerability has been given as 7.5 (High).

There has not been a publicly available exploit released for this vulnerability yet.

Affected Products

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Tools 12. x.x, 11.x.x, 10.3.x Windows CVE-2023-20900 7.5 Important 12.3.0 None None
VMware Tools 10.3.x Linux CVE-2023-20900 7.5 Important [1] 10.3.26 None None
[2] VMware Tools (open-vm-tools) 12. x.x, 11. x.x, 10.3.x Linux CVE-2023-20900 7.5 Important [3] 12.3.0 None None

VMware has been previously found to have a critical vulnerability in the Aria Operations for Networks, which lets threat actors perform authentication bypass and arbitrary file write operations. 

To remediate the vulnerability, VMware released a security advisory and Knowledge Base for VMware Aria Operations for Networks. Similarly, a security advisory has been released to fix this VMware tool vulnerability.

Users of VMware tools are recommended to upgrade to the latest version in order to prevent this vulnerability from getting exploited by threat actors.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *