VMware Responses to the Critical CVE-2023-20891 Vulnerability Exposing CF API Admin Credentials

Virtual machines have revolutionized the world of cybersecurity, offering a myriad of benefits to cybersecurity professionals. They enable professionals to simulate real-world attack scenarios, conduct vulnerability testing, and analyze malware in a safe and controlled setting. The ability to capture snapshots and revert to previous states ensures that professionals can explore potential threats without compromising the integrity of their primary systems. In this blog, we will provide updates on a recent VMware vulnerability, a widely-used tool among cyber security professionals, while also addressing the necessary steps to safeguard your systems.

In a recent security update, VMware has addressed a critical information disclosure vulnerability that impacted VMware Tanzu Application Service for VMs (TAS for VMs) and Isolation Segment. Tracked as CVE-2023-20891, this security flaw allows remote attackers with low privileges to gain access to Cloud Foundry API admin credentials through system audit logs. VMware’s TAS for VMs is crucial in automating application deployment across various cloud environments, including vSphere, AWS, Azure, GCP, and OpenStack. The vulnerability posed a significant threat, as attackers could exploit it to push malicious app versions.

VMware Vulnerability Could Cause Credentials Exposure

The CVE-2023-20891 vulnerability was triggered by the presence of hex-encoded CF API admin credentials in unpatched TAS for VMs instances’ system audit logs. This security flaw could be exploited by non-admin users with access to the platform system audit logs, allowing them to retrieve sensitive credentials and potentially push malicious application versions. While VMware highlighted that non-admin users typically do not have access to system audit logs in standard deployment configurations, the company recommended all affected TAS for VMs users to rotate their CF API admin credentials as an added precaution against unauthorized use of leaked passwords. 

Recommendation and Credential Rotation:

In response to the security flaw, VMware issued detailed instructions on changing the Cloud Foundry User Account and Authentication (UAA) admin credentials to protect organizations from potential exploitation. While TAS for VMs does not officially support changing the UAA admin user’s password, VMware acknowledged that some users may need to change administrators or respond to leaked passwords. Users were cautioned to follow the provided steps with care, as any improper modifications to installation.yml could lead to issues.

The Tanzu Support Hub provided clear instructions for changing the admin password for UAA, emphasizing the importance of using spaces instead of tabs in YAML files and taking backups before making changes. Once changes were applied successfully, users were advised to verify the new credentials and log on to Apps Manager or use the cf cli to ensure the new password functions correctly. VMware reiterated that attempting to change the admin user’s password with the uaac utility would not be sufficient, as it could cause Operations Manager to be out of sync and potentially lead to job and errand failures.

Leveraging Vulnerability Intelligence and External Attack Surface Management

VMware’s prompt response to the CVE-2023-20891 vulnerability highlights the significance of vulnerability intelligence and proactive management of external attack surfaces. To stay protected from such threats, organizations can leverage SOCRadar’s Vulnerability Intelligence Module, which actively monitors emerging vulnerabilities and provides timely alerts. Additionally, using SOCRadar’s External Attack Surface Management helps organizations gain visibility into their digital footprint and identify potential points of exploitation, enabling faster risk assessment and defense against cyber threats. By integrating these solutions, organizations can enhance their security posture and safeguard their business-critical assets from targeted attacks like the one addressed by VMware.