Hand-Picked Top-Read Stories

Policy data may be lost when a CVAD site is upgraded from a previous version to 2402

28 views

Citrix VDA lose Registration after Cloud Connector Restart

31 views

Understanding Write Cache in Provisioning Services Server

31 views

Trending Tags

VMware Virtualisation

720 views

2 minute read

VMSA-2022-0024

24 August 2022

Important

Advisory ID:
VMSA-2022-0024

CVSSv3 Range:
7.0

Issue Date:
2022-08-23

Updated On:
2022-08-23 (Initial Advisory)

CVE(s):
CVE-2022-31676

Synopsis:
VMware Tools update addresses a local privilege escalation vulnerability (CVE-2022-31676)

1. Impacted Products

VMware Tools

2. Introduction

VMware Tools was impacted by a local privilege escalation vulnerability. Updates are available to remediate this vulnerability in affected VMware products.

3. Local privilege escalation vulnerability (CVE-2022-31676)

Description

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.0.

Known Attack Vectors

A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.

Resolution

To remediate CVE-2022-31676 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

None.

Additional Documentation

None.

Notes

VMware Tools 10.3.25 only applies to the older Linux releases.

Acknowledgements

None.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
VMware Tools	12.x.y, 11.x.y	Windows	CVE-2022-31676	7.0	important	12.1.0	None	None
VMware Tools	12.x.y, 11.x.y	Linux	CVE-2022-31676	7.0	important	12.1.0	None	None
VMware Tools	10.x.y	Linux	CVE-2022-31676	7.0	important	10.3.25	None	None

4. References

Fixed Version(s) and Release Notes:

VMware Tools 12.1.0

Downloads and Documentation:

https://customerconnect.vmware.com/downloads/details?downloadGroup=VMTOOLS1210&productId=1259&rPId=92824

https://docs.vmware.com/en/VMware-Tools/12.1/rn/VMware-Tools-1210-Release-Notes.html

VMware Tools 10.3.25

https://customerconnect.vmware.com/downloads/details?downloadGroup=VMTOOLS10325&productId=1072&rPId=92945

https://docs.vmware.com/en/VMware-Tools/10.3/rn/VMware-Tools-10325-Release-Notes.html

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676

FIRST CVSSv3 Calculator:

CVE-2022-31676: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

5. Change Log

2022-08-23 VMSA-2022-0024
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

VMware Security Advisories

https://www.vmware.com/security/advisories

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC

Copyright 2022 VMware Inc. All rights reserved.

Read full article (vmware.com)

All content and images belong to their respected owners, this article is curated for informational purposes only.

Leave a Reply Cancel reply

You must be logged in to post a comment.

Previous Post

Citrix

PVS 1912CU5 on Windows 2012 R2 with KB501874: The specified AuthGroup does not exist

24 August 2022

Next Post

Citrix

CLOUD | MCS + Unable to create Machine Catalog

25 August 2022