In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "c0151aa3ba76c785b32c7f9d16c98febe53017b1", "tree": "96bf9c2e4aeb3c9a5db37467c05c328039ae7d60", "parents": \[ "48779ff3ddafee92e4f098bdbaaf2e9f21b0957e" \], "author": { "name": "Hui Peng", "email": "phui@google.com", "time": "Tue May 16 02:09:38 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:12:27 2023 +0000" }, "message": "Fix an integer underflow in build\_read\_multi\_rsp\\n\\nWhen p\_buf-\\u003elen is mtu - 1 and p\_cmd-\\u003emulti\_req.variable\_len\\nevaluates to true, integer underflow is triggered\\nin the following line, resulting OOB access.\\n\\n\`\`\`\\n len \\u003d p\_rsp-\\u003eattr\_value.len - (total\_len - mtu);\\n\`\`\`\\n\\nBug: 273874525\\nTest: manual\\nIgnore-AOSP-First: security\\nTag: #security\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23)\\nMerged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4\\nChange-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "0b60a6a8db91e9e1af0bc1f1426a73f50cfc2864", "old\_mode": 33188, "old\_path": "system/stack/gatt/gatt\_sr.cc", "new\_id": "4c00743228252e0d2805433ad5cc663b6f169250", "new\_mode": 33188, "new\_path": "system/stack/gatt/gatt\_sr.cc" } \] }

CVE-2023-40129

In resetSettingsLocked of SettingsProvider.java, there is a possible lockscreen bypass due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "ff86ff28cf82124f8e65833a2dd8c319aea08945", "tree": "524d68215696fbfe5584e2a97f296e20904941a2", "parents": \[ "86c8421c1181816b6cb333eb62a78e32290c4b17" \], "author": { "name": "Eric Biggers", "email": "ebiggers@google.com", "time": "Fri Jul 28 22:03:03 2023 +0000" }, "committer": { "name": "Justin Dunlap", "email": "justindunlap@google.com", "time": "Fri Sep 01 12:58:52 2023 -0700" }, "message": "RESTRICT AUTOMERGE: SettingsProvider: exclude secure\_frp\_mode from resets\\n\\nWhen RescueParty detects that a system process is crashing frequently,\\nit tries to recover in various ways, such as by resetting all settings.\\nUnfortunately, this included resetting the secure\_frp\_mode setting,\\nwhich is the means by which the system keeps track of whether the\\nFactory Reset Protection (FRP) challenge has been passed yet. With this\\nsetting reset, some FRP restrictions went away and it became possible to\\nbypass FRP by setting a new lockscreen credential.\\n\\nFix this by excluding secure\_frp\_mode from resets.\\n\\nNote: currently this bug isn\\u0027t reproducible on \\u0027main\\u0027 due to ag/23727749\\ndisabling much of RescueParty, but that is a temporary change.\\n\\nBug: 253043065\\nTest: With ag/23727749 reverted and with my fix to prevent\\n com.android.settings from crashing \*not\* applied, tried repeatedly\\n setting lockscreen credential while in FRP mode, using the\\n smartlock setup activity launched by intent via adb. Verified\\n that although RescueParty is still triggered after 5 attempts,\\n secure\_frp\_mode is no longer reset (its value remains \\"1\\").\\nTest: Verified that secure\_frp\_mode still gets changed from 1 to 0 when\\n FRP is passed legitimately.\\nTest: atest com.android.providers.settings.SettingsProviderTest\\nTest: atest android.provider.SettingsProviderTest\\n(cherry picked from commit 9890dd7f15c091f7d1a09e4fddb9f85d32015955)\\n(changed Global.SECURE\_FRP\_MODE to Secure.SECURE\_FRP\_MODE,\\n needed because this setting was moved in U)\\n(removed static keyword from shouldExcludeSettingFromReset(),\\n needed for compatibility with Java 15 and earlier)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8c2d2c6fc91c6b80809a91ac510667af24d2cf17)\\nMerged-In: Id95ed43b9cc2208090064392bcd5dc012710af93\\nChange-Id: Id95ed43b9cc2208090064392bcd5dc012710af93\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "a6edb0f0e2e35722ff118876f3098934a38b0f76", "old\_mode": 33188, "old\_path": "packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java", "new\_id": "2e04cdae2a30420eb8a7aa41adf5dd5ef4dbf661", "new\_mode": 33188, "new\_path": "packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java" }, { "type": "modify", "old\_id": "eaf0dcb9b4e797a07e5c2c058c3bbfe260b5024a", "old\_mode": 33188, "old\_path": "packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java", "new\_id": "1c6d2b08136c3bda2fee087466e44ee105ce8ec4", "new\_mode": 33188, "new\_path": "packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java" } \] }

CVE-2023-40117

In multiple locations, there is a possible way to bypass user notification of foreground services due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "d26544e5a4fd554b790b4d0c5964d9e95d9e626b", "tree": "f783afd38e1e95b034041806a96ae7f9148b8d68", "parents": \[ "88cf23cfe50b80aa9d65cc22946de1765972cb80" \], "author": { "name": "Beth Thibodeau", "email": "ethibodeau@google.com", "time": "Tue May 30 18:45:47 2023 -0500" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:10:15 2023 +0000" }, "message": "Add placeholder when media control title is blank\\n\\nWhen an app posts a media control with no available title, show a\\nplaceholder string with the app name instead\\n\\nBug: 274775190\\nTest: atest MediaDataManagerTest\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0fda1f36d04331c8d60c5540b09b1a30203581b)\\nMerged-In: Ie406c180af48653595e8e222a15b4dda27de2e0e\\nChange-Id: Ie406c180af48653595e8e222a15b4dda27de2e0e\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "af8d7ed22ed3fe16ab25d720aee3aa9c0f795a91", "old\_mode": 33188, "old\_path": "packages/SystemUI/res/values/strings.xml", "new\_id": "b0fcfcdc2f6b705656dd243fa68b993def4a76ee", "new\_mode": 33188, "new\_path": "packages/SystemUI/res/values/strings.xml" }, { "type": "modify", "old\_id": "6a69d427929e1f2f439eebe7bd3199a58d29a519", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/media/MediaDataManager.kt", "new\_id": "4c2336eeb22c09f282069945a659cb458aecfee0", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/media/MediaDataManager.kt" }, { "type": "modify", "old\_id": "1cce7cfb5b8afcc06fb87a71601185c5cfd23d38", "old\_mode": 33188, "old\_path": "packages/SystemUI/tests/src/com/android/systemui/media/MediaDataManagerTest.kt", "new\_id": "52266f983fddc351aead9a906c42034e63d9ee55", "new\_mode": 33188, "new\_path": "packages/SystemUI/tests/src/com/android/systemui/media/MediaDataManagerTest.kt" } \] }

CVE-2023-40120

In GpuService of GpuService.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "0cda11569dd256ff3220b4fe44f861f8081d7116", "tree": "76c88564d59b51976e524a8eb2a394c269786e01", "parents": \[ "686a75e8cd7a20c613dca5fec9d5a7877d360bac" \], "author": { "name": "sergiuferentz", "email": "sergiuferentz@google.com", "time": "Mon Jun 26 18:01:47 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:11:52 2023 +0000" }, "message": "Fix for heap-use-after-free in GPUService.cpp\\n\\nThis adds a unit test and fix for the bug reported by libfuzzer.\\nChanges made:\\n \* Expose GPUService as testable code.\\n \* Update main\_gpuservice.cpp to use the new GpuService now located at\\n gpuservice/GpuService.h\\n \* Make initializer threads members of GpuService\\n \* Join the threads in destructor to prevent heap-use-after-free.\\n \* Add unit test that waits 3 seconds after deallocation to ensure no\\n wrong access is made.\\n\\nBug: 282919145\\nTest: Added unit test and ran on device with ASAN\\n(cherry picked from commit 3c00cbc0f119c3f59325aa6d5061529feb58462b)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7fb707802ee4c667d1ee6065ae2845d835b47aeb)\\nMerged-In: I4d1d2d4658b575bf2c8f425f91f68f03114ad029\\nChange-Id: I4d1d2d4658b575bf2c8f425f91f68f03114ad029\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "5b4ee21b423353b3ba8fafe8559ebe2a2e1b24e1", "old\_mode": 33188, "old\_path": "services/gpuservice/Android.bp", "new\_id": "020940f04e7ce0a8c7b92180446e010336060ae4", "new\_mode": 33188, "new\_path": "services/gpuservice/Android.bp" }, { "type": "modify", "old\_id": "7b9782f4e8972debbae12326760ff70c3a61de5c", "old\_mode": 33188, "old\_path": "services/gpuservice/GpuService.cpp", "new\_id": "5643940a6eb4b727eadc881e5633553425d2331b", "new\_mode": 33188, "new\_path": "services/gpuservice/GpuService.cpp" }, { "type": "rename", "old\_id": "d7313d165e3544ba2cbb05e7a8f4febc06a75a8d", "old\_mode": 33188, "old\_path": "services/gpuservice/GpuService.h", "new\_id": "3e0ae66f39853ea3a9f2dbb0c8afeb1167872f83", "new\_mode": 33188, "new\_path": "services/gpuservice/include/gpuservice/GpuService.h", "score": 94 }, { "type": "modify", "old\_id": "64aafcab6a39fbe1e63531926de29f72c8a65af9", "old\_mode": 33188, "old\_path": "services/gpuservice/main\_gpuservice.cpp", "new\_id": "200237219e00b261f8f8bc81ff61c428a22ba882", "new\_mode": 33188, "new\_path": "services/gpuservice/main\_gpuservice.cpp" }, { "type": "modify", "old\_id": "4fb0d2e734b8f3a2c2cff8466eedafa6a2cb4c62", "old\_mode": 33188, "old\_path": "services/gpuservice/tests/unittests/Android.bp", "new\_id": "808c86bcae900abf043dc27e9e4045d8163dbaf4", "new\_mode": 33188, "new\_path": "services/gpuservice/tests/unittests/Android.bp" }, { "type": "add", "old\_id": "0000000000000000000000000000000000000000", "old\_mode": 0, "old\_path": "/dev/null", "new\_id": "62b3e53f5347dbff7d7bc5d2f64f6612247e46dd", "new\_mode": 33188, "new\_path": "services/gpuservice/tests/unittests/GpuServiceTest.cpp" } \] }

CVE-2023-40131

In appendEscapedSQLString of DatabaseUtils.java, there is a possible SQL injection due to unsafe deserialization. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "3287ac2d2565dc96bf6177967f8e3aed33954253", "tree": "832070d1a4d228a36bfcce5f0f3410555063e3ca", "parents": \[ "7212a4bec2d2f1a74fa54a12a04255d6a183baa9" \], "author": { "name": "Kunal Malhotra", "email": "malhk@google.com", "time": "Fri Jun 02 23:32:02 2023 +0000" }, "committer": { "name": "Justin Dunlap", "email": "justindunlap@google.com", "time": "Fri Sep 01 12:58:52 2023 -0700" }, "message": "Fixing DatabaseUtils to detect malformed UTF-16 strings\\n\\nTest: tested with POC in bug, also using atest\\nBug: 224771621\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb4a72e3943d166088407e61aa4439ac349f3f12)\\nMerged-In: Ide65205b83063801971c5778af3154bcf3f0e530\\nChange-Id: Ide65205b83063801971c5778af3154bcf3f0e530\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "6c8a8500e4e38c282491cefbf98e42b3a92e976a", "old\_mode": 33188, "old\_path": "core/java/android/database/DatabaseUtils.java", "new\_id": "d41df4f49d48fd3d2bf7274644fc96e67352022b", "new\_mode": 33188, "new\_path": "core/java/android/database/DatabaseUtils.java" } \] }

CVE-2023-40121

In onBindingDied of CallRedirectionProcessor.java, there is a possible permission bypass due to a logic error in the code. This could lead to local escalation of privilege and background activity launch with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "5b335401d1c8de7d1c85f4a0cf353f7f9fc30218", "tree": "85b52fe7ec98818de079ea0df2d775b8c39a2655", "parents": \[ "dd302d211bd8b935464b48551a76ef718bf33ccc" \], "author": { "name": "Grace Jia", "email": "xiaotonj@google.com", "time": "Thu Jul 20 13:42:50 2023 -0700" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:13:01 2023 +0000" }, "message": "Fix vulnerability in CallRedirectionService.\\n\\nCurrently when the CallRedirectionService binding died, we didn\\u0027t do\\nanything, which cause malicious app start activities even not run in the\\nbackground by implementing a CallRedirectionService and overriding the\\nonPlaceCall method to schedule a activity start job in an independent\\nprocess and then kill itself. In that way, the activity can still\\nstart after the CallRedirectionService died. Fix this by unbinding the\\nservice when the binding died.\\n\\nBug: b/289809991\\nTest: Using testapp provided in bug to make sure the test activity can\\u0027t\\nbe started\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:29b52e3cd027da2d8644450a4dee3a7d95dc0043)\\nMerged-In: I065d361b83700474a1efab2a75928427ee0a14ba\\nChange-Id: I065d361b83700474a1efab2a75928427ee0a14ba\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "226382bde4ab09d0efc1ec408db64c7e3c2cf633", "old\_mode": 33188, "old\_path": "src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java", "new\_id": "02debcd6c1b5710c2a7a14cd97165ff3d8e080cc", "new\_mode": 33188, "new\_path": "src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java" } \] }

CVE-2023-40130

In FillUi of FillUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "08becc8c600f14c5529115cc1a1e0c97cd503f33", "tree": "3f0b8b76102e3b965d293910f949644ce9963cc3", "parents": \[ "2d88a5c481df8986dbba2e02c5bf82f105b36243" \], "author": { "name": "Tim Yu", "email": "yunicorn@google.com", "time": "Tue Jun 20 21:24:36 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:10:43 2023 +0000" }, "message": "\[DO NOT MERGE\] Verify URI Permissions in Autofill RemoteViews\\n\\nCheck permissions of URI inside of FillResponse\\u0027s RemoteViews. If the\\ncurrent user does not have the required permissions to view the URI, the\\nRemoteView is dropped from displaying.\\n\\nThis fixes a security spill in which a user can view content of another\\nuser through a malicious Autofill provider.\\n\\nBug: 283137865\\nFixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566\\nb/281534749 b/283101289\\nTest: Verified by POC app attached in bugs\\nTest: atest CtsAutoFillServiceTestCases (added new tests)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:93810ba1c0a4d31f49adbf9454731e2b7defdfc0)\\nMerged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a\\nChange-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "bc5d6457c945fec1263428c45dd50615ec131132", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/Helper.java", "new\_id": "48113a81cca5f0a44dc5b478f47e7cadef622745", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/Helper.java" }, { "type": "modify", "old\_id": "c2c630e01bee7a3d999047550719a9e2b0e25201", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java", "new\_id": "59184e9ed28814672004f7d8a8d01b6105ab7b40", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java" }, { "type": "modify", "old\_id": "8fbdd81cc4cc666f5fe855da1aa29187066ac73f", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/FillUi.java", "new\_id": "76fa258734ccc37aea53d19990e64f122c6a0f51", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/FillUi.java" }, { "type": "modify", "old\_id": "677871f6c85f860363fc3e5cb2d07f65b602f6ef", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/SaveUi.java", "new\_id": "533a7b69a650a58ecceb078fd2442dc9e74f67c2", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/SaveUi.java" } \] }

CVE-2023-40139

In android_view_InputDevice_create of android_view_InputDevice.cpp, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "2d88a5c481df8986dbba2e02c5bf82f105b36243", "tree": "6fe3bd910de991370a02c926861447a19172e1ac", "parents": \[ "5a3d0c131175d923cf35c7beb3ee77a9e6485dad" \], "author": { "name": "Josep del Rio", "email": "joseprio@google.com", "time": "Mon Jun 26 09:30:06 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:10:32 2023 +0000" }, "message": "Do not share key mappings with JNI object\\n\\nThe key mapping information between the native key mappings and\\nthe KeyCharacterMap object available in Java is currently shared,\\nwhich means that a read can be attempted while it\\u0027s being modified.\\n\\nBug: 274058082\\nTest: Patch tested by Oppo\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3d993de0d1ada8065d1fe561f690c8f82b6a7d4b)\\nMerged-In: I745008a0a8ea30830660c45dcebee917b3913d13\\nChange-Id: I745008a0a8ea30830660c45dcebee917b3913d13\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "9cc72437a0234a89063644ffe2ab29c1dd47e381", "old\_mode": 33188, "old\_path": "core/jni/android\_view\_InputDevice.cpp", "new\_id": "f7c770e0bffb81d000ca79477c2fa674b44d66b4", "new\_mode": 33188, "new\_path": "core/jni/android\_view\_InputDevice.cpp" } \] }

CVE-2023-40140

Google has announced that it's expanding its Vulnerability Rewards Program (VRP) to reward researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security.
"Generative AI raises new and different concerns than traditional digital security, such as the potential for unfair bias, model manipulation or

Artificial Intelligence / Vulnerability

Google has announced that it's expanding its Vulnerability Rewards Program (VRP) to reward researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security.

"Generative AI raises new and different concerns than traditional digital security, such as the potential for unfair bias, model manipulation or misinterpretations of data (hallucinations)," Google's Laurie Richardson and Royal Hansen said.

Some of the categories that are in scope include prompt injections, leakage of sensitive data from training datasets, model manipulation, adversarial perturbation attacks that trigger misclassification, and model theft.

It's worth noting that Google earlier this July instituted an AI Red Team to help address threats to AI systems as part of its Secure AI Framework (SAIF).

Also announced as part of its commitment to secure AI are efforts to strengthen the AI supply chain via existing open-source security initiatives such as Supply Chain Levels for Software Artifacts (SLSA) and Sigstore.

"Digital signatures, such as those from Sigstore, which allow users to verify that the software wasn't tampered with or replaced," Google said.

"Metadata such as SLSA provenance that tell us what's in software and how it was built, allowing consumers to ensure license compatibility, identify known vulnerabilities, and detect more advanced threats."

The development comes as OpenAI unveiled a new internal Preparedness team to "track, evaluate, forecast, and protect" against catastrophic risks to generative AI spanning cybersecurity, chemical, biological, radiological, and nuclear (CBRN) threats.

The two companies, alongside Anthropic and Microsoft, have also announced the creation of a $10 million AI Safety Fund, focused on promoting research in the field of AI safety.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Expands Its Bug Bounty Program to Tackle Artificial Intelligence Threats

open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the 
/dev/uinput file descriptor allowing them to simulate user inputs.

Advisory ID: VMSA-2023-0024

CVSSv3 Range: 7.5 - 7.8

Issue Date: 2023-10-26

Updated On: 2023-10-26 (Initial Advisory)

CVE(s): CVE-2023-34057, CVE-2023-34058

Synopsis: VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

Multiple vulnerabilities in VMware Tools were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. Local privilege escalation vulnerability in VMware Tools (macOS) (CVE-2023-34057)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine.

To remediate CVE-2023-34057 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Dan Revah of Google for reporting this issue to us.

****3b. SAML Token Signature Bypass vulnerability in VMware Tools (CVE-2023-34058)****

VMware Tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

To remediate CVE-2023-34058 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

*   While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that has now been addressed.
*   CVE-2023-34058 also impacts open-vm-tools. Fixes have been provided to the Linux community for distribution.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34057

7.8

important

12.1.1

None

None

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34057

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34058

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34058

7.5

important

12.3.5

None

None

****4\. References****

****5\. Change Log****

**2023-10-26 VMSA-2023-0024  
**Initial security advisory.

****6\. Contact****

Tag

#google