CVE-2023-34059: 
Bottlerocket vulnerability analysis and mitigation

CVE-2023-34059 is a file descriptor hijack vulnerability discovered in the vmware-user-suid-wrapper component of open-vm-tools. The vulnerability was reported on July 25, 2023, and publicly disclosed on October 27, 2023. It affects open-vm-tools versions from 11.0.0 up to and including 12.3.0. The vulnerability allows a malicious actor with non-root privileges to hijack the /dev/uinput file descriptor (OSS Security, VMware Advisory).

The vulnerability stems from the combination of dropping privileges to the real uid/gid and the subsequent execve() call to execute the non-setuid program vmtoolsd. During the execve() operation, the process's "dumpable" attribute is reset to 1, which allows the unprivileged user who originally invoked vmware-user-suid-wrapper to ptrace() the vmtoolsd process. This enables access to privileged file descriptors through modern Linux's pidfd API using pidfdopen() and pidfdgetfd() calls. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (High) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (OSS Security).

The vulnerability allows attackers to gain access to the /dev/uinput device, enabling them to create arbitrary userspace-based input devices and register them with the kernel. This capability allows the injection of synthesized key or mouse events into local user sessions, both graphical and textual login consoles. The impact could lead to privilege escalation after gaining low privilege access, particularly in multi-user environments where a background process could wait for a victim user to log in and then inject malicious input into their session (OSS Security).

The vulnerability has been patched in various distributions including Debian, Fedora, and Ubuntu. The fix involves preventing the "dumpable" attribute reset by moving the privilege drop logic into vmtoolsd. As a temporary hardening measure, access to vmware-user-suid-wrapper can be limited to members of a privileged group (e.g., vmware-users). Additionally, environment variables passed from the unprivileged context should be sanitized, particularly the PATH variable (Debian Security, OSS Security).