VMware warns admins of public exploit for vRealize RCE flaw

Trending 1 month ago


VMware warned customers connected Monday that proof-of-concept (PoC) utilization codification is now disposable for an authentication bypass flaw successful vRealize Log Insight (now known arsenic VMware Aria Operations for Logs).

"Updated VMSA to statement that VMware has confirmed that utilization codification for CVE-2023-34051 has been published," nan institution said successful an update to nan original advisory.

Tracked arsenic CVE-2023-34051, it allows unauthenticated attackers to execute codification remotely pinch guidelines permissions if definite conditions are met.

Successful exploitation hinges connected nan attacker compromising a big wrong nan targeted situation and possessing permissions to adhd an other interface aliases fixed IP address, according to Horizon3 information researchers who discovered nan bug.

Horizon3 published a method guidelines origin analysis for this information flaw connected Friday pinch further accusation connected really CVE-2023-34051 tin beryllium utilized to summation distant codification execution arsenic guidelines connected unpatched VMware appliances.

The information researchers besides released a PoC exploit and a database of indicators of discuss (IOCs) that web defenders could usage to observe exploitation attempts wrong their environments.

"This POC abuses IP reside spoofing and various Thrift RPC endpoints to execute an arbitrary record write," nan Horizon3 Attack Team said.

"The default configuration of this vulnerability writes a cron occupation to create a reverse shell. Be judge to alteration nan payload record to suit your environment.

"For this onslaught to work, an attacker must person nan aforesaid IP reside arsenic a maestro /worker node."

CVE-2023-34051PoC utilization tweet

​Bypass for a RCE utilization chain

This vulnerability is besides a bypass for an exploit concatenation of captious flaws patched by VMware successful January, enabling attackers to summation distant codification execution.

The first (CVE-2022-31706) is simply a directory traversal bug, nan 2nd (CVE-2022-31704) is simply a surgery entree power flaw, while nan third, an accusation disclosure bug (CVE-2022-31711), allows attackers to summation entree to delicate convention and exertion info,

Attackers tin concatenation these vulnerabilities (collectively tracked arsenic VMSA-2023-0001 by VMware) to inject maliciously crafted files into nan operating strategy of VMware appliances moving unpatched Aria Operations for Logs software.

When Horizon3 information researchers released a VMSA-2023-0001 PoC exploit 1 week aft nan institution pushed information updates, they explained that their RCE utilization "abuses nan various Thrift RPC endpoints to execute an arbitrary record write."

"This vulnerability is easy to utilization however, it requires nan attacker to person immoderate infrastructure setup to service malicious payloads," they said.

"Additionally, since this merchandise is improbable to beryllium exposed to nan internet, nan attacker apt has already established a foothold location other connected nan network.

However, threat actors often utilization vulnerabilities wrong antecedently compromised networks for lateral movement, making susceptible VMware appliances valuable soul targets.

In June, VMware warned customers astir another captious distant codification execution vulnerability successful VMware Aria Operations for Networks (tracked arsenic CVE-2023-20887) being exploited successful attacks.