VMware has addressed an information disclosure vulnerability in the VMware Tanzu Application Service for Virtual Machines (TAS for Virtual Machines) and Isolation Segment caused by logging and exposure of credentials through system audit logs.

TAS for VMs helps enterprises automate the deployment of applications on-premises or to public and private clouds (eg vSphere, AWS, Azure, GCP, OpenStack).

Tracked as CVE-2023-20891, the vulnerability patched today by Vmware would allow low-privileged remote attackers to access Cloud Foundry API administrator credentials on unpatched systems in low-complexity attacks that do not require user interaction.

This happens because, on unpatched TAS instances for VMs, hex-encoded CF API administrator credentials are logged in the platform’s system audit logs.

Hackers who exploit this vulnerability can use the stolen credentials to distribute versions of malicious applications.

“A non-admin malicious user who has access to the platform’s system audit logs can gain access to hex-encoded CF API administrator credentials and can push new malicious versions of an application,” VMware explains.

Fortunately, as VMware pointed out, non-admin users do not have access to system audit logs in standard deployment configurations.

Admin Credential Rotation Recommended

However, the company still advises all TAS for VM users affected by CVE-2023-20891 to rotate CF API administrator credentials to ensure attackers cannot use leaked passwords.

VMware provides step-by-step instructions for changing User Account Administrator and Cloud Foundry Authentication (UAA) credentials in this accompanying document.

“TAS does not officially support changing the UAA administrator user password. The instructions above are not officially tested as part of the Operations Manager test suite, so use them at your own risk,” VMware warns.

“It may be tempting to change the admin user’s password with the uaac utility. Unfortunately, this is not enough as it will only update the admin user’s password in UAA. This leaves Operations Manager out of sync and can cause jobs and runs to fail.”

Last month, VMware addressed vCenter Server high-severity security bugs allowing code execution and authentication bypass.

This too fix an ESXi zero-day exploited by a Chinese-sponsored hacking group to hijack Windows and Linux virtual machines in data theft attacks.

More recently, the company notified customers this exploit is now available for a critical RCE vulnerability in the VMware Aria Operations for Logs scan tool.