VMware fixes bug exposing CF API admin credentials in audit logs

VMware has patched an information disclosure vulnerability in VMware Tanzu Application Service for VMs (TAS for VMs) and Isolation Segment caused by credentials being logged and exposed via system audit logs.  

TAS for VMs helps enterprises automate the deployment of applications across on-premises or public and private clouds (e.g., vSphere, AWS, Azure, GCP, OpenStack).

Tracked as CVE-2023-20891, the security flaw addressed today by Vmware would allow remote attackers with low privileges to access Cloud Foundry API admin credentials on unpatched systems in low-complexity attacks that don't require user interaction.

This happens because, on unpatched TAS for VMs instances, hex-encoded CF API admin credentials are logged in platform system audit logs.

Threat actors who exploit this vulnerability can use the stolen credentials to push malicious app versions. 

"A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application," VMware says.

Luckily, as highlighted by VMware, non-admin users don't have access to the system audit logs in standard deployment configurations.

Admin credential rotation recommended

However, the company still advises all TAS for VMs users affected by CVE-2023-20891 to rotate CF API admin credentials to ensure that attackers can't use any leaked passwords.

VMware provides detailed instructions on changing Cloud Foundry User Account and Authentication (UAA) admin credentials in this support document.

"TAS does not officially support changing the UAA admin user's password. The instructions above are not officially tested as a part of the Operations Manager test suite, so use them at your own risk," VMware warns.

"It may be tempting to change the admin user's password with the uaac utility. Unfortunately, this is not sufficient because it will only update the admin user's password in UAA. This leaves Operations Manager out of sync and can cause jobs and errands to fail."

Last month, VMware addressed high-severity security vCenter Server bugs allowing code execution and authentication bypass.

It also fixed an ESXi zero-day exploited by a Chinese-sponsored hacking group to backdoor Windows and Linux virtual machines in data theft attacks.

More recently, the company warned customers that exploit code is now available for a critical RCE vulnerability in the VMware Aria Operations for Logs analysis tool.