VMware ESXi Zero-Day vulnerability found by Mandiant security researchers.
An Authentication Bypass vulnerability in VMware Tools was responsibly reported to VMware. Updates are available to remediate this vulnerability in the affected VMware products.
According to VMware advisory, the Chinese Espionage actors use to perform privileged Guest Operations on Compromised Hypervisors.
What is VMware ESXi?
VMware ESXi effectively partitions hardware to consolidate applications and cut costs. It’s the industry leader for efficient architecture, setting the standard for reliability, performance, and support.
What ESXi Delivers
IT teams are under constant pressure to meet fluctuating market trends and heightened customer demands. At the same time, they must stretch IT resources to accommodate increasingly complex projects. Fortunately, ESXi formerly known as ESX helps balance the need for both better business outcomes and IT savings.
VMware ESXi enables you to:
- Consolidate hardware for higher capacity utilization.
- Increase performance for a competitive edge.
- Streamline IT administration through centralized management.
- Reduce CapEx and OpEx.
- Minimize hardware resources needed to run the hypervisor, meaning greater efficiency.
Authentication Bypass vulnerability in VMware Tools (CVE-2023-20867).
VMware Tools contains an Authentication Bypass vulnerability in the vgauth module. VMware has evaluated this issue’s severity as being in the Low severity range with a maximum CVSSv3 base score of 3.9.
Known Attack Vectors
A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.
Mandiant published details surrounding a novel malware system deployed by UNC3886, a Chinese cyber espionage group, which impacted VMware ESXi hosts, vCenter servers, and Windows virtual machines (VM).
Mandiant has discovered additional techniques UNC3886 has utilized across multiple organizations to keep out of the sights of EDR solutions, including:
- Harvesting credentials for service accounts from a vCenter Server for all connected ESXi hosts from the embedded vPostgreSQL server built into vCenter Server Appliance
- Exploiting a zero-day vulnerability (CVE-2023-20867) that enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.
- Deploying backdoors on ESXi hosts using an alternative socket address family, VMCI, for lateral movement and continued persistence. This address family enabled direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place.
- Continuing to tamper with and disable logging services on impacted systems presents additional challenges to investigating UNC3886 in a compromised environment.
Who is UNC3886?
UNC3886 is a highly adept Chinese cyber espionage group that has targeted and exploited zero-day vulnerabilities in firewall and virtualization technologies, which do not support EDR solutions. UNC3886 has primarily targeted defense, technology, and telecommunication organizations in the US and APJ regions.
Mandiant has identified additional attacker scripts that enabled UNC3886 to obtain vpxuser credentials, enumerate ESXi hosts and their guest VMs, and manipulate connected ESXi host firewall rules. These scripts enabled the attacker to perform the following actions:
- Obtain the cleartext passwords of all connected ESXi host’s vpxuser service accounts from a compromised vCenter server through the connected vPostgreSQL database.
- List all ESXi hosts that are attached to a vCenter server as well as the guest VMs that are hosted on each of the attached ESXi hosts.
- Add or delete from the list of allowed IPs for a specified service (Default sshServer) across all connected ESXi hosts.
To remediate CVE-2023-20867, update the version listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
- Product – VMware Tools
- Version – 12.x.x, 11.x.x, 10.3.x
- CVSSv3 – 3.9
- Fixed Version – 12.2.5