CVE-2023-34059
📋 TL;DR
CVE-2023-34059 is a file descriptor hijack vulnerability in open-vm-tools' vmware-user-suid-wrapper that allows non-root users to hijack the /dev/uinput file descriptor. This enables attackers to simulate user inputs like keystrokes and mouse movements. Systems running vulnerable versions of open-vm-tools with the SUID wrapper enabled are affected.
💻 Affected Systems
- open-vm-tools
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full control of the virtual machine by simulating privileged user inputs, potentially leading to complete system compromise, data theft, or lateral movement.
Likely Case
Local attackers can execute arbitrary commands, escalate privileges, or perform unauthorized actions by simulating user inputs within the compromised VM.
If Mitigated
With proper access controls and patching, impact is limited to denial of service or minimal privilege escalation within the user's own session.
🎯 Exploit Status
Exploitation requires local access to the system. Proof-of-concept code has been published in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: open-vm-tools 12.3.0 and later
Vendor Advisory: https://lists.debian.org/debian-lts-announce/2023/11/msg00002.html
Restart Required: No
Instructions:
1. Update open-vm-tools to version 12.3.0 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install open-vm-tools. 3. For RHEL/CentOS: sudo yum update open-vm-tools. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Remove SUID bit from vmware-user-suid-wrapper
linuxRemoves the setuid permission from the vulnerable binary to prevent privilege escalation
sudo chmod u-s /usr/bin/vmware-user-suid-wrapper
Disable vmware-user-suid-wrapper
linuxPrevents the vulnerable component from being executed
sudo chmod 000 /usr/bin/vmware-user-suid-wrapper
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to vulnerable systems
- Monitor for suspicious user input simulation activities and file descriptor manipulation attempts
🔍 How to Verify
Check if Vulnerable:
Check open-vm-tools version: open-vm-tools --version. If version is below 12.3.0, check if vmware-user-suid-wrapper exists: ls -la /usr/bin/vmware-user-suid-wrapperCheck Version:
open-vm-tools --versionVerify Fix Applied:
Verify open-vm-tools version is 12.3.0 or higher: open-vm-tools --version. Confirm SUID bit is not set: ls -la /usr/bin/vmware-user-suid-wrapper | grep -v '^-rws'📡 Detection & Monitoring
Log Indicators:
- Unusual /dev/uinput access patterns
- Multiple failed privilege escalation attempts
- Suspicious vmware-user-suid-wrapper executions
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
process_name:"vmware-user-suid-wrapper" AND (file_path:"/dev/uinput" OR command_line:"uinput")🔗 References
- http://www.openwall.com/lists/oss-security/2023/10/27/2
- http://www.openwall.com/lists/oss-security/2023/10/27/3
- http://www.openwall.com/lists/oss-security/2023/11/26/1
- http://www.openwall.com/lists/oss-security/2023/11/27/1
- https://lists.debian.org/debian-lts-announce/2023/11/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7G77Z76CQPGUF7VHRA6O3UFCMPPR4O2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQUOFQL2SNNNMKROQ3TZQY4HEYMNOIBW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLTKVTRKQW2GD2274H3UOW6XU4E62GSK/
- https://www.debian.org/security/2023/dsa-5543
- https://www.vmware.com/security/advisories/VMSA-2023-0024.html
- http://www.openwall.com/lists/oss-security/2023/10/27/2
- http://www.openwall.com/lists/oss-security/2023/10/27/3
- http://www.openwall.com/lists/oss-security/2023/11/26/1
- http://www.openwall.com/lists/oss-security/2023/11/27/1
- https://lists.debian.org/debian-lts-announce/2023/11/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7G77Z76CQPGUF7VHRA6O3UFCMPPR4O2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQUOFQL2SNNNMKROQ3TZQY4HEYMNOIBW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLTKVTRKQW2GD2274H3UOW6XU4E62GSK/
- https://www.debian.org/security/2023/dsa-5543
- https://www.vmware.com/security/advisories/VMSA-2023-0024.html
- https://www.openwall.com/lists/oss-security/2023/10/27/3
