Hackers Launch MiTM Attack to Bypass VMware Tools SAML Authentication

VMware has been reported with a SAML token signature bypass vulnerability, which a threat actor can exploit to perform VMware Guest operations. CVE ID has been assigned for this vulnerability, and the severity was mentioned as 7.5 (High).

VMware tools are a set of modules and services for enabling several services in VMware products, which help better manage guest operating systems and flawless user interactions between the host and the guest operating system. VMware tools also can pass messages from the Host to the Guest operating system.

However, VMware has released a security advisory for addressing this vulnerability.

CVE-2023-20900: SAML Token Signature Bypass vulnerability

An attacker with a man-in-the-middle (MITM) network positioning between the vCenter server and the virtual machine can bypass the SAML token signature verification and exploit this vulnerability to perform VMware guest operations. The CVSS score for this vulnerability has been given as 7.5 (High).

There has not been a publicly available exploit released for this vulnerability yet.

Affected Products

VMware has been previously found to have a critical vulnerability in the Aria Operations for Networks, which lets threat actors perform authentication bypass and arbitrary file write operations. 

To remediate the vulnerability, VMware released a security advisory and Knowledge Base for VMware Aria Operations for Networks. Similarly, a security advisory has been released to fix this VMware tool vulnerability.

Users of VMware tools are recommended to upgrade to the latest version in order to prevent this vulnerability from getting exploited by threat actors.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.