CVE-2023-20891 - VMware Tanzu Application Service: Unauthorized Access to Hex-encoded CF API Admin Credentials

VMware Tanzu Application Service, formerly known as Pivotal Cloud Foundry (or PCF), is an application platform that enables developers to build, test, and scale applications. Isolation Segment is an optional component that provides resources for dedicated hosting of applications.

In this blog post, we will discuss a vulnerability that has been assigned the CVE identifier CVE-2023-20891, which affects the VMware Tanzu Application Service for VMs and Isolation Segment. The vulnerability stems from an information disclosure issue that allows an attacker to gain access to sensitive data.

Exploit Details

The vulnerability arises due to the logging of sensitive credentials in hex encoding format. These credentials are essentially the CF API admin's credentials and are stored, unprotected, in the platform system audit logs. Consequently, this poses a massive risk, as non-admin users could potentially access these logs and decode the credentials to execute malicious activity.

In default deployment, non-admin users are not granted access to the platform system audit logs. However, a malicious user with unauthorized access or an insider threat could potentially access the logs and decode the encoded credentials.

To illustrate this vulnerability further, here's a code snippet that shows how hex-encoded credentials might appear in the audit logs:

17:30:07 [AUDIT] Username 'admin' logged in with password: 61646d696e5f707764

In this example, the hex-encoded string '61646d696e5f707764' represents the actual CF API admin's password.

Exploit Scenario

Imagine a scenario where an attacker successfully gains unauthorized access to the platform system audit logs containing sensitive hex-encoded admin credentials. The attacker then decodes the hex-encoded password into readable characters, obtaining access to the CF API admin's credentials.

Here's a sample Python code snippet that demonstrates how an attacker could decode the encoded password:

import binascii

hex_encoded_password = "61646d696e5f707764"
password = binascii.unhexlify(hex_encoded_password).decode("utf-8")

print("Decoded password:", password)

Now, the attacker could employ these credentials to push new malicious versions of existing applications or deploy fresh malicious applications, putting the entire virtual environment at risk.

VMware Tanzu Application Service for VMs 2.9.24 and above

It is highly recommended that you upgrade your VMware Tanzu Application Service and Isolation Segment components to the appropriate versions mentioned above.

For more details about the security vulnerability and its remediation, please refer to the VMware security advisory: VMSA-2023-0006

Conclusion

This vulnerability underscores the importance of monitoring and securing access to sensitive data and ensuring that your infrastructure is regularly updated to prevent the exploitation of known vulnerabilities. By keeping your VMware Tanzu Application Service and Isolation Segment up-to-date, you can mitigate the risks posed by CVE-2023-20891 and enhance the security of your virtual environment.

Timeline

Published on: 07/26/2023 06:15:00 UTC
Last modified on: 08/03/2023 15:03:00 UTC