VMware has released a fix for an information disclosure vulnerability in its VMware Tanzu Application Service for VMs (TAS for VMs) and Isolation Segment. This vulnerability was a result of credentials being recorded and exposed in system audit logs.
TAS for VMs is a solution that enables businesses to automate the deployment of applications across various environments, including on-premises, public and private clouds such as vSphere, AWS, Azure, GCP, and OpenStack.
The security flaw, designated as CVE-2023-20891, could potentially allow remote attackers with low privileges to gain access to Cloud Foundry API admin credentials on systems that have not been patched. The attacks could be carried out with low complexity and do not require user interaction. This is possible because, on unpatched TAS for VMs instances, the CF API admin credentials are logged in platform system audit logs in hex-encoded format.
Threat actors exploiting this vulnerability could potentially use the stolen credentials to push malicious versions of applications. As stated by VMware, "A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application."
Fortunately, as pointed out by VMware, non-admin users typically do not have access to the system audit logs in standard deployment configurations. However, VMware still recommends all TAS for VMs users affected by CVE-2023-20891 to rotate their CF API admin credentials to prevent attackers from using any leaked passwords.
To aid users, VMware provides a comprehensive guide on changing Cloud Foundry User Account and Authentication (UAA) admin credentials in a support document. However, they caution that, "TAS does not officially support changing the UAA admin user's password. The instructions above are not officially tested as a part of the Operations Manager test suite, so use them at your own risk." They further warn against changing the admin user's password with the uaac utility as it only updates the password in UAA, potentially causing Operations Manager to be out of sync and leading to job and errand failures.
In the past month, VMware has also addressed high-severity security vCenter Server bugs that allowed code execution and authentication bypass. They also rectified an ESXi zero-day exploited by a Chinese-sponsored hacking group to backdoor Windows and Linux virtual machines in data theft attacks. More recently, the company warned customers that exploit code is now available for a critical RCE vulnerability in the VMware Aria Operations for Logs analysis tool.