June 22, 2023
A critical vulnerability in VMware Aria Operations for Networks demands the utmost attention. Organizations should take heed since alarming reports have revealed that hostile actors could exploit this vulnerability to gain unauthorized access, install programs, delete data, and create accounts with full user rights.
The stakes are high, urging immediate action to bolster defenses and prevent potential fallout. Within this urgent context, it becomes crucial to implement measures that could mitigate the risks of threat.
Table of Contents
Critical Vulnerabilities in VMware Aria Operations for Networks
Recently, VMware made an alarming announcement confirming an exploited vulnerability on VMware Aria Operations (formerly known as vRealize Network Insight) network analytics tool.
This remote code execution vulnerability, CVE-2023-20887, poses a significant threat to the security and integrity of systems utilizing the tool. Cybersecurity company GreyNoise also reports the “widespread exploitation of the vulnerability in the wild,” eventually raising concerns about the potential impact and reach of the attacks.
Such proof of concept exploit can have disastrous consequences, giving unauthorized users access to vulnerable systems and compromising important data or causing wide-scale disruptions. The 9.8 high CVSS severity score also highlights the potential for extensive damage and the necessity for swift action to mitigate the vulnerability’s impact.
CVE-2023-20887 is one of the three vulnerabilities, with the other two listed as CVE-2023-20888, an authenticated deserialization vulnerability, and CVE-2023-20889, an information disclosure vulnerability.
Thankfully, VMware hasn’t treated this issue lightly. The leading cloud computing software provider has released security updates to address the vulnerability issues in response to the threat.
Mass Scanning Activity and Patch Release
On June 13, 2023, a significant cybersecurity event occurred when security researcher Sina Kheirkhah from Summoning Team published a proof-of-concept (PoC) exploit for a pre-authentication command injection vulnerability.
This vulnerability posed a serious threat, allowing attackers to execute commands on vulnerable systems without needing to authenticate first. As soon as the PoC exploit became public, cybercriminals wasted no time, and just two days later, reports of exploitation on unpatched systems began to emerge.
The aftermath of the exploit’s publication was not without notice. GreyNoise, a reputable cybersecurity firm, detected a surge in mass-scanning activities. These scans were primarily focused on identifying systems that had not yet received the necessary patches to mitigate the vulnerability. The urgency to identify vulnerable systems and reduce the potential impact highlighted the flaw’s severity.
The VMware Aria Operations for Networks has been the target of multiple attacks lately. Besides the CVE-2023-20887 exploit, two other vulnerabilities were discovered and brought to light. Among these, one was classified as critical (CVE-2023-20888), while the other was deemed important (CVE-2023-20889).
Fortunately, VMWare demonstrated a responsible and swift response to these threats by releasing patches to address all three vulnerabilities approximately two weeks prior. This proactive approach aims to protect users and prevent potential attacks that could exploit the identified flaws.
Details of the Exploited VMware Vulnerabilities
CVE-2023-20887 and CVE-2023-20888 are critical security vulnerabilities that affect VMware Aria Operations for Networks. Malicious actors with access to the network may exploit these vulnerabilities to launch damaging attacks, delete data, and seize unauthorized control.
CVE-2023-20887 poses a significant threat as it allows unauthorized access to the system through a malicious command injection attack. A malevolent actor with network access could exploit this vulnerability, remotely executing code and gaining control over the target environment.
Similarly, CVE-2023-20888 presents another danger involving deserialization. In this case, an attacker with network access could manipulate the deserialization process, enabling the execution of unauthorized code remotely. The consequences of successful exploitation could be dire, as the attacker gains unauthorized control over VMware Aria Operations for Networks.
Lastly, a third vulnerability exists. CVE-2023-20889 presents a risk of a command injection attack. Malicious actors exploiting this flaw could execute unauthorized commands that lead to the disclosure of sensitive information. Such an attack could compromise data confidentiality and system integrity, putting organizations at significant risk.
Actions Taken: Applying Appropriate Updates
VMware states that no workarounds are available to address these vulnerability issues. Those affected by the VMware Aria Operations for Networks vulnerability should immediately apply the patches available in version KB92684.
To effectively address the identified flaws, it is imperative for all existing on-prem installations of VMware Aria Operations Networks 6.x to undergo the necessary patching process. Doing so can significantly reduce the dangers of possible exploitation, and at the same time, the integrity of the system can be protected.
Version KB92684 is a crucial update for guaranteeing the resilience and robustness of the platform since it effectively implements the correction for all three vulnerabilities.
