CVE-2023-34059 Overview
CVE-2023-34059 is a file descriptor hijack vulnerability in VMware's open-vm-tools package, specifically within the vmware-user-suid-wrapper component. A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor, allowing them to simulate user inputs on the affected system.
This vulnerability affects systems running open-vm-tools, which is commonly deployed in virtual machines hosted on VMware infrastructure. The vulnerability enables local privilege escalation through improper resource handling, potentially allowing attackers to inject arbitrary input events.
Critical Impact
Local attackers with non-root privileges can hijack the /dev/uinput file descriptor to simulate user inputs, potentially leading to unauthorized actions and privilege escalation on VMware guest systems.
Affected Products
- VMware open-vm-tools (all versions prior to patched releases)
- Debian Linux 10.0 (Buster)
- Debian Linux 11.0 (Bullseye)
- Debian Linux 12.0 (Bookworm)
Discovery Timeline
- 2023-10-27 - CVE-2023-34059 published to NVD
- 2025-03-06 - Last updated in NVD database
Technical Details for CVE-2023-34059
Vulnerability Analysis
The vulnerability exists in the vmware-user-suid-wrapper binary, which is a setuid-root helper program used by open-vm-tools to perform privileged operations on behalf of unprivileged users. The core issue involves improper handling of the /dev/uinput file descriptor during the execution lifecycle of the wrapper.
The /dev/uinput device provides a userspace interface for creating virtual input devices, allowing programs to inject keyboard and mouse events into the kernel's input subsystem. Under normal circumstances, access to this device requires root privileges. However, the vulnerability allows a non-root attacker to hijack an already-opened file descriptor to /dev/uinput that was legitimately opened by the setuid wrapper.
This type of file descriptor hijacking can occur when the setuid binary does not properly close or protect file descriptors before dropping privileges or executing other code. An attacker positioned to exploit this weakness could inject arbitrary keyboard strokes, mouse movements, and clicks, effectively controlling user input on the system.
Root Cause
The root cause is classified as CWE-404 (Improper Resource Shutdown or Release). The vmware-user-suid-wrapper fails to properly close or protect the /dev/uinput file descriptor during its execution, leaving it accessible to unprivileged code paths. This improper resource management allows the file descriptor to be inherited or accessed by malicious processes, enabling the hijack attack.
Attack Vector
The attack requires local access to the system with non-root user privileges. The attacker must be able to execute code on a VMware guest virtual machine where open-vm-tools is installed. The attack flow involves:
- Identifying when the vmware-user-suid-wrapper binary opens /dev/uinput
- Exploiting the race condition or improper cleanup to gain access to the file descriptor
- Using the hijacked file descriptor to inject malicious input events
The local attack vector with high complexity requirements means the attacker needs precise timing and understanding of the vulnerable code path. However, successful exploitation grants the attacker significant control over user input simulation, which can be leveraged for further privilege escalation or malicious actions.
Due to the absence of verified exploitation code in public repositories, the specific technical implementation details should be referenced from the VMware Security Advisory VMSA-2023-0024 and the Openwall OSS Security mailing list discussion.
Detection Methods for CVE-2023-34059
Indicators of Compromise
- Unexpected processes accessing /dev/uinput device file
- Suspicious execution patterns of vmware-user-suid-wrapper with unusual parent processes
- Anomalous input events occurring without user interaction
- Non-root processes holding file descriptors to /dev/uinput
Detection Strategies
- Monitor file access to /dev/uinput using auditd rules to detect unauthorized access attempts
- Implement process monitoring for vmware-user-suid-wrapper execution with anomaly detection for unusual calling patterns
- Deploy endpoint detection rules that alert on non-standard file descriptor inheritance patterns involving privileged device files
- Use SentinelOne's behavioral AI to detect abnormal input injection activities on VMware guest systems
Monitoring Recommendations
- Configure audit logging for all access to /dev/uinput device: auditctl -w /dev/uinput -p rwxa -k uinput_access
- Monitor for unusual setuid binary execution patterns on systems with open-vm-tools installed
- Implement alerting on synthetic input events that don't correlate with physical user activity
- Review process trees for unexpected relationships between non-root processes and the vmware-user-suid-wrapper
How to Mitigate CVE-2023-34059
Immediate Actions Required
- Update open-vm-tools to the latest patched version available for your Linux distribution
- Review and restrict access to systems where open-vm-tools is deployed until patches are applied
- Monitor affected systems for signs of exploitation using the detection strategies outlined above
- Consider temporarily disabling the vmware-user-suid-wrapper if the functionality is not critical to operations
Patch Information
VMware has released patches addressing this vulnerability. Administrators should apply the following updates based on their distribution:
- VMware: Apply patches per VMware Security Advisory VMSA-2023-0024
- Debian: Apply updates per Debian Security Advisory DSA-5543 and the Debian LTS Announcement
- Fedora: Apply updates available through the Fedora Package Announcements
Workarounds
- Restrict local user access on VMware guest systems to trusted administrators only
- Remove setuid bit from vmware-user-suid-wrapper if the functionality is not required: chmod u-s /usr/bin/vmware-user-suid-wrapper
- Implement mandatory access control (SELinux/AppArmor) policies to restrict access to /dev/uinput
- Monitor and limit which processes can access the uinput subsystem using device cgroups
# Audit rule configuration for monitoring /dev/uinput access
auditctl -w /dev/uinput -p rwxa -k uinput_access
# Check current permissions on vmware-user-suid-wrapper
ls -la /usr/bin/vmware-user-suid-wrapper
# Temporarily remove setuid bit (if functionality not required)
chmod u-s /usr/bin/vmware-user-suid-wrapper
# Verify open-vm-tools version
vmware-toolbox-cmd -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
