CVE-2023-34059 Overview
CVE-2023-34059 is a file descriptor hijack vulnerability in the vmware-user-suid-wrapper component of open-vm-tools. A local attacker with non-root privileges on a Linux guest virtual machine can hijack the /dev/uinput file descriptor opened by the SUID wrapper. Once hijacked, the attacker can inject synthetic keyboard and pointer events into the desktop session, effectively simulating user input. The flaw is classified under [CWE-404] (Improper Resource Shutdown or Release) and affects open-vm-tools packaged across major Linux distributions, including Debian 10, 11, and 12.
Critical Impact
Local low-privileged attackers on affected Linux guests can simulate user input via /dev/uinput, enabling keystroke and pointer injection that can drive privileged GUI actions and lead to host-level compromise of the guest session.
Affected Products
- VMware open-vm-tools (versions prior to the VMSA-2023-0024 fix)
- Debian GNU/Linux 10, 11, and 12 (open-vm-tools package)
- Fedora open-vm-tools packages (multiple releases)
Discovery Timeline
- 2023-10-27 - CVE-2023-34059 published to NVD and disclosed via the Openwall OSS Security mailing list
- 2023-10-27 - VMware publishes VMSA-2023-0024
- 2023-11-26 - Follow-up Openwall OSS Security announcement issued
- 2023-11 - Debian releases DSA-5543 and Debian LTS advisory
- 2025-03-06 - Last updated in NVD database
Technical Details for CVE-2023-34059
Vulnerability Analysis
The vmware-user-suid-wrapper binary is installed setuid-root to enable specific privileged operations required by the open-vm-tools user agent. One such operation is opening /dev/uinput, the Linux user-space input device that allows a process to inject synthetic input events into the kernel input subsystem. The SUID wrapper opens this device with elevated privileges, then passes the file descriptor to the non-privileged vmtoolsd user process.
The vulnerability stems from improper handling of this file descriptor across the privilege boundary. A local attacker can manipulate the wrapper's execution environment so that the descriptor is inherited or accessible to an attacker-controlled process instead of the intended consumer. Once the attacker holds a writable handle to /dev/uinput, they can craft input_event structures to deliver arbitrary keystrokes and mouse events to the active session.
Root Cause
The root cause is an improper resource lifecycle defect [CWE-404] in the SUID wrapper. The wrapper acquires a privileged file descriptor to /dev/uinput but fails to ensure the descriptor is transferred or scoped exclusively to the legitimate target process. Race conditions or process manipulation by a co-resident local user allow the descriptor to be hijacked before the intended handoff completes.
Attack Vector
Exploitation requires local access with low privileges on a Linux guest running a vulnerable open-vm-tools. The attacker races or interposes against vmware-user-suid-wrapper to capture the inherited /dev/uinput descriptor. With that descriptor, they can write structured input events to the kernel, simulating keystrokes that target any application currently focused in the desktop session. This can drive privileged GUI prompts, unlock screens, or launch commands in a higher-privileged user's terminal.
No public proof-of-concept exploit code is currently listed for this CVE. Refer to the VMware advisory VMSA-2023-0024 and the Openwall disclosure thread for technical specifics.
Detection Methods for CVE-2023-34059
Indicators of Compromise
- Unexpected processes holding open file descriptors to /dev/uinput that are not vmtoolsd or known input daemons.
- Unexplained keystroke or pointer activity in guest GUI sessions when no user is present.
- Non-root processes inheriting descriptors originally opened by vmware-user-suid-wrapper.
Detection Strategies
- Audit running open-vm-tools package versions across Linux guests and flag any below the fixed releases shipped in VMSA-2023-0024 and DSA-5543.
- Use lsof /dev/uinput and fuser /dev/uinput to enumerate processes with the input device open, alerting on unexpected UIDs or binary paths.
- Enable Linux auditd rules to record execve of vmware-user-suid-wrapper and open syscalls against /dev/uinput, correlating parent-child process relationships.
Monitoring Recommendations
- Forward auditd, journald, and EDR telemetry from Linux guests to a centralized data lake for cross-host correlation.
- Alert on local privilege escalation indicators such as non-interactive processes invoking SUID binaries followed by GUI input events.
- Track package inventory drift on virtualized Linux fleets to confirm patch deployment status of open-vm-tools.
How to Mitigate CVE-2023-34059
Immediate Actions Required
- Patch open-vm-tools on all affected Linux guests using the fixed packages from VMware, Debian, and Fedora.
- Restrict local interactive and shell access on multi-user Linux guests to trusted accounts only.
- Audit installations to confirm the vmware-user-suid-wrapper binary belongs to a patched package version.
Patch Information
VMware released fixed versions of open-vm-tools documented in VMSA-2023-0024. Debian published fixes in DSA-5543 and the corresponding Debian LTS advisory. Fedora distributed updated builds through the Fedora package-announce list. Apply the vendor-supplied package for your distribution and restart vmtoolsd or reboot the guest to ensure the new binary is loaded.
Workarounds
- Remove the setuid bit from vmware-user-suid-wrapper if the input-injection features are not required, accepting the loss of related guest functionality.
- Restrict access to /dev/uinput through udev rules or kernel module controls so that only trusted services can open it.
- Limit shell access on affected guests to reduce the local attack surface until patches are deployed.
# Configuration example: verify patched package and restrict /dev/uinput
# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade open-vm-tools
dpkg -l open-vm-tools
# Fedora
sudo dnf upgrade open-vm-tools
rpm -q open-vm-tools
# Inspect SUID wrapper and active openers of /dev/uinput
ls -l /usr/bin/vmware-user-suid-wrapper
sudo lsof /dev/uinput
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
