VMware warns admins of public exploit for vRealize RCE flaw

PoC exploit code is now available for an authentication bypass flaw in vRealize Log Insight

VMware warns admins of public exploit for vRealize RCE flaw

Image:
VMware warns admins of public exploit for vRealize RCE flaw

VMware has alerted its users to a significant security threat to its vRealize cloud management solution, now known as VMware Aria Operations for Logs.

Identified as CVE-2023-34051 in a recent advisory, the high-severity remote code execution (RCE) flaw (CVSS score 8.1) can potentially allow unauthorised individuals to execute code with root privileges, provided they have already compromised a host within the targeted environment. They would also need the necessary permissions to add an interface or static IP address.

Horizon3, the security research team that initially discovered the vulnerability, provided a detailed analysis of the issue, along with a proof-of-concept (PoC) exploit and a list of indicators of compromise (IOCs) to aid in detecting any exploitation attempts within affected networks.

High-severity threat

The PoC exploit, as disclosed by the Horizon3 Attack Team, leverages IP address spoofing and various Thrift RPC endpoints to achieve arbitrary file write capabilities, ultimately enabling the creation of a reverse shell through a cron job. It's important to note that for the attack to succeed, the attacker must have the same IP address as a master or worker node.

What makes this situation even more critical is that this particular vulnerability serves as a bypass for a previously patched exploit chain (tracked collectively as VMSA-2023-0001) that was addressed by VMware in January.

By exploiting a sequence of critical flaws (CVE-2022-31706, CVE-2022-31704 and CVE-2022-31711), attackers can inject malicious files into the operating system of unpatched VMware appliances running Aria Operations for Logs.

String of cybersecurity threats

The security community has expressed concern over the ease of exploiting this vulnerability, even though it necessitates a certain level of infrastructure setup to serve malicious payloads.

Since the affected product is typically not directly exposed to the internet, attackers likely have already established a foothold elsewhere on the network. Threat actors often exploit vulnerabilities within previously compromised networks for lateral movement, making vulnerable VMware appliances lucrative internal targets.

This incident adds to a string of recent cybersecurity threats, including similar exploits on critical software, such as WS_FTP and VMware SSH authentication, as well as a zero-day vulnerability in Cisco's IOS XE that has been actively targeted in attacks.

In June, VMware also cautioned its users about another critical remote code execution vulnerability in VMware Aria Operations for Networks, tracked as CVE-2023-20887, that was being exploited in the wild.