IBMFBA0C90B829F834062E51FCC296629BF9348CF90433938734B34AADD93C17829Security Bulletin: IBM DataPower Gateway Virtual Edition affected by bypass vulnerability in Open VM Tools
3.9 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
6.6 Medium
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
52.4%
Summary
Exploitation of this flaw requires root access to the ESXi host. IBM has addressed the vulnerability.
Vulnerability Details
CVEID:CVE-2023-20867
**DESCRIPTION:**VMware Tools could allow a local authenticated attacker to bypass security restrictions, caused by the failure to authenticate host-to-guest operations in the vgauth module. An attacker could exploit this vulnerability using a fully compromised ESXi host to bypass authentication and obtain access to the guest virtual machine.
CVSS Base score: 3.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257845 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM DataPower Gateway 10.0.1 | 10.0.1.0-10.0.1.18 |
Remediation/Fixes
| Affected Product | Fixed in version | APAR |
|---|---|---|
| IBM DataPower Gateway 10.0.1 | 10.0.1.19 | IT45944 |
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm datapower gateway virtual edition | eq | 10.0.1 |
Related
3.9 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
6.6 Medium
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
52.4%