Proof-of-Concept (PoC) exploit code has been made available to address a recently disclosed and critical flaw affecting VMware Aria Operations for Networks (formerly vRealize Network Insight).
The flaw, tracked as CVE-2023-34039, is rated 9.8 out of 10 for severity and is described as a case of authentication bypass due to the lack of unique cryptographic key generation.
“A malicious actor with network access to Area Operations for Network can bypass SSH authentication to gain access to Area Operations for Network CLI,” VMware said earlier this week.
Summoning Team’s Sina Kheirkhah, who published the PoC following an analyzing the patch by VMware, said the root cause can be traced back to a bash script containing a method named refresh_ssh_keys(), which is responsible for overwriting the current SSH keys for the support and ubuntu users in the authorized_keys file.
“SSH authentication exists; however, VMware forgot to regenerate the keys,” Kheirkhah said. “VMware’s Area Operations for Networks hard-coded its keys from version 6.0 to 6.10.”
VMware’s latest fixes also address CVE-2023-20890, an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution.
In other words, a threat actor could leverage the PoC to obtain admin access to the device and exploit CVE-2023-20890 to run arbitrary payloads, making it crucial that users apply the updates to secure against potential threats.
The release of POC coincides with the virtualization technology giant releasing a fix for a high-severity SAML token signature bypass flaw (CVE-2023-20900, CVSS score: 7.5) in multiple Windows and Linux versions of VMware Tools.
“A malicious actor with man-in-the-middle (MITM) network positioning in a virtual machine network may be able to bypass SAML token signature verification to perform VMware Tools guest operations,” the company said in an advisory issued Thursday. “
Peter Stockli of GitHub Security Lab is credited with reporting the flaw, which affects the following versions –
- VMware Tools for Windows (12.x.x, 11.x.x, 10.3.x) – fixed in 12.3.0
- VMware Tools for Linux (10.3.x) – Fixed in 10.3.26
- Open-source implementation of VMware Tools for Linux or open-vm-tools (12.x.x, 11.x.x, 10.3.x) – fixed in 12.3.0 (will be distributed by Linux vendors)
The development also comes as Fortinet FortiGuard Labs warned of continued exploitation of Adobe ColdFusion Vulnerabilities by threat actors to deploy cryptocurrency miners and hybrid bots such as Satan DDoS (aka Lucifer) and RudeMiner (aka SpreadMiner) that are capable of carrying out cryptojacking and distributed deniall-of-service (DDoS) attacks.
A backdoor named BillGates (aka Setag) has also been deployed, which is known to hijack systems, steal sensitive information, and launch DDoS attacks.