CVE-2023-20887: VMware Aria Operations for Networks Command Injection


CVE-2023-20887: VMware Aria Operations for Networks Command Injection

VMware issues advisory to address three flaws in its VMware Aria Operations for Networks solution, including a critical command injection flaw assigned a CVSSv3 score of 9.8.

Background

On June 7, VMware published an advisory (VMSA-2023-0012.1) to address three vulnerabilities in VMware Aria Operations for Networks, formerly known as vRealize Network Insight (vRNI), a solution for building secure network infrastructure in hybrid and multi-cloud environments. Two of the vulnerabilities disclosed in this advisory are rated as critical.

CVE Description CVSSv3 VPR*
CVE-2023-20887 Aria Operations for Networks Command Injection Vulnerability 9.8 9.0
CVE-2023-20888 Aria Operations for Networks Authenticated Deserialization Vulnerability 9.1 7.4
CVE-2023-20889 Aria Operations for Networks Information Disclosure Vulnerability 8.8 4.4

*Please note: Tenable’sVulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on June 14 and reflects VPR at that time.

All three of the flaws were reported to VMware via Trend Micro’s Zero Day Initiative (ZDI) and two of the three were credited to Sina Kheirkhah (@SinSinology) of Summoning Team. A blog post on Summoning Team’s website was released which details the exploitation process of CVE-2023-20887. The blog post also acknowledges that another anonymous researcher reported the flaw to ZDI first and VMware’s advisory attributed CVE-2023-20887 to “Anonymous” working with ZDI.

Analysis

CVE-2023-20887 is a command injection vulnerability in VMware Aria Operations for Networks which can be leveraged to achieve remote code execution (RCE). As described in the blog post by Summoning Team, this vulnerability exists due to a chain of two issues. The first issue is the command injection flaw, but to reach the vulnerable code, a request must be made to an endpoint that should be denied due to the nginx rule set. However, the blog points out that the rule can be bypassed with a specially crafted request. By chaining these two issues together in a crafted request, it would allow an unauthenticated attacker to achieve RCE.

CVE-2023-20888 is a deserialization vulnerability in VMware Aria Operations for Networks. An authenticated attacker with credentials for a valid ‘member’ role could use a crafted request to perform a deserialization attack that would result in RCE.

CVE-2023-20889 is an information disclosure vulnerability in VMware Aria Operations for Networks. An authenticated attacker with network access could perform a command injection attack which would result in the disclosure of data.

CVE-2023-20887 is reportedly a patch bypass of CVE-2022-31702

According to a tweet by researcher Y4er, CVE-2023-20887 is reportedly a patch bypass for CVE-2022-31702, another critical command injection vulnerability in vRNI that was patched by VMware in December 2022. More details on CVE-2022-31702 and the patch bypass can be found in this blog post.

Proof of concept

A proof-of-concept (PoC) for CVE-2023-20887 has been published to GitHub and it was also included in the blog post by Summoning Team. At the time this blog post was published on June 14, no PoC code was available for the other two CVEs.

Solution

VMware released fixed versions of VMware Aria Operations for Networks to address these flaws. The fixed versions and patching instructions can be found in KB92684 and are included in the following table.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.





Source link