VMware Patches Vulnerability Exposing Admin Credentials

Written by

VMware addressed a vulnerability on Tuesday that impacts its Tanzu Application Service for VMs and Isolation Segment products. 

The flaw, tracked as CVE-2023-20891, poses a significant risk by exposing CF API admin credentials and potentially granting unauthorized access to sensitive systems and data.

The issue, which was privately reported to VMware, arises from the logging of credentials in hex encoding in the platform system audit logs. 

Read more about cloud logging: Microsoft Strengthens Cloud Logging Against Nation-State Threats

VMware has classified the severity of this vulnerability as “Moderate,” as it possesses a maximum CVSS v3 base score of 6.5.

From a technical standpoint, the known attack vectors involve malicious non-admin users gaining access to the platform system audit logs, where they can extract hex-encoded CF API admin credentials. 

Using this information, attackers could potentially push malicious versions of applications, compromising the security and integrity of the entire system. 

Notably, in default deployments, non-admin users are not granted access to the platform system audit logs, mitigating some of the risks.

“The concept of protecting the key is the most basic, fundamental concept in cryptography and cryptographic systems. The idea that the way the key is formulated and/or used is less important should get everyone to put importance on the key,” commented Jason Kent, hacker in residence at Cequence Security.

“Here, you can see they capture a key as it is being used, encode it, and write it to the logs. Read access to the logs is all that is needed, and low-level access like that is easily obtained.”

Organizations that rely on VMware Tanzu Application Service for VMs and Isolation Segment are strongly advised to apply the patches released by the company.

In its advisory, VMware highlighted that there are currently no known workarounds for this vulnerability. The company provided further guidance for impacted users to rotate their CF API admin credentials as an added precautionary measure.

What’s hot on Infosecurity Magazine?