VMware Faces Critical Vulnerability as PoC Exploit Code Emerges
A newly disclosed vulnerability in VMware Aria Operations for Networks (formerly known as vRealize Network Insight) has raised serious security concerns, particularly as proof-of-concept (PoC) exploit code has become available. The critical flaw, tracked as CVE-2023-34039, has been assigned a severe rating of 9.8 out of 10, signaling its potential for significant misuse. This flaw enables authentication bypass due to an oversight in unique cryptographic key generation.
According to VMware, a malicious actor with access to the network could exploit this vulnerability to bypass SSH authentication, allowing unauthorized access to the command-line interface of Aria Operations for Networks. This presents a significant threat, as successful exploitation could result in a breach of sensitive network operations.
Sina Kheirkhah, a member of the Summoning Team, revealed that the root cause of this vulnerability is linked to a specific bash script. The script features a method named refresh_ssh_keys(), which is intended to overwrite SSH keys for users like “support” and “ubuntu” contained in the authorized_keys file. However, Kheirkhah noted that VMware failed to regenerate these keys, as they have remained hard-coded from version 6.0 to 6.10. Such negligence could facilitate unauthorized access, underscoring the importance of adhering to robust key management protocols.
In addition to CVE-2023-34039, VMware has also addressed CVE-2023-20890, which represents an arbitrary file write vulnerability. This flaw could allow adversaries with administrative rights to write files to random locations, consequently achieving remote code execution. The implications are dire: a threat actor could use the PoC to gain administrative access and leverage CVE-2023-20890 to execute arbitrary payloads. Thus, immediate adoption of VMware’s patches is essential for organizations seeking to mitigate these risks.
The introduction of the PoC aligns with VMware’s latest updates addressing another severe issue. They issued fixes for a SAML token signature bypass vulnerability (CVE-2023-20900), affecting various VMware Tools versions across both Windows and Linux environments. The flaw, rated at a CVSS score of 7.5, could allow a malicious actor in a man-in-the-middle position within the virtual machine network to bypass essential token signature verifications, facilitating unauthorized VMware Tools Guest Operations.
Peter Stöckli of GitHub Security Lab is credited with identifying this SAML vulnerability, which impacts several VMware Tools versions. These include VMware Tools for Windows and Linux, where specific patches have been applied.
As these vulnerabilities come to light, the ongoing exploitation of Adobe ColdFusion vulnerabilities continues to be a concern. Fortinet FortiGuard Labs has reported that threat actors are deploying cryptocurrency miners and hybrid bots capable of executing cryptojacking and DDoS attacks. Meanwhile, a backdoor known as BillGates—a malware variant often associated with stealing sensitive data and conducting DDoS attacks—has also been reported.
In summary, the emergence of these vulnerabilities, particularly CVE-2023-34039, highlights critical concerns around security management in digital environments, especially for network operations. Business owners should take heed of these threats and ensure that necessary updates are applied promptly to safeguard their operational integrity. Utilizing the MITRE ATT&CK framework could provide critical insights into the tactics used by adversaries, including techniques for gaining initial access, maintaining persistence, and escalating privileges during attacks. Being aware of these tactics enables organizations to strengthen their cybersecurity posture effectively.
