Cyber Security Threat Summary:
VMware recently fixed an information disclosure bug impacting its VMware Tanzu Application service for VMs (TAS for VMs) and Isolation Segment. “TAS for VMs helps enterprises automate the deployment of applications across on-premises or public and private clouds (e.g., vSphere, AWS, Azure, GCP, OpenStack). Tracked as CVE-2023-20891, the issue seems to be caused by credentials being logged and exposed via system audit logs. According to VMware, remote attackers with low privileges can successfully exploit the flaw to access Cloud Foundry API admin credentials on unpatched systems. ,

“A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs”, stated VMware in its advisory.

Security Officer Comments:
CVE-2023-20891 can be exploited in low-complexity attacks as it does not require user interaction. However given that non-admins users don’t have access to the system audit in standard deployments, this makes it difficult for actors to obtain the credentials.

As of writing, Vmware has not disclosed any details of active exploitation attempts.

Suggested Correction(s):
VMware has released patches for the impacted products, which administrators should apply as soon as possible. To ensure that threat actors cannot use any of the leaked credentials, the vendor also recommends impacted users of Vmware Tanzu Application Service for VMs and Isolation Segment to do CF API admin credential rotation by referring to the support document down below:

https://community.pivotal.io/s/article/How-to-Change-the-Admin-Password-for-UAA?language=en_US

Link(s):
https://www.bleepingcomputer.com/ne...osing-cf-api-admin-credentials-in-audit-logs/