Lucene search

K
thnThe Hacker NewsTHN:588C9B9AA1180198D3BD08BBE33AB567
HistorySep 03, 2023 - 4:42 a.m.

PoC Exploit Released for Critical VMware Aria's SSH Auth Bypass Vulnerability

2023-09-0304:42:00
The Hacker News
thehackernews.com
66
vmware
aria operations
ssh auth bypass
vulnerability
poc
exploit
cve-2023-34039
sina kheirkhah
aria operations for networks
cybersecurity
cve-2023-20890
arbitrary file write
remote code execution
saml token signature bypass
cve-2023-20900
peter stΓΆckli
vmware tools
fortinet fortiguard labs
adobe coldfusion vulnerabilities
threat actors
cryptocurrency miners

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.945 High

EPSS

Percentile

99.2%

SSH Auth Bypass Vulnerability

Proof-of-concept (PoC) exploit code has been made available for a recently disclosed and patched critical flaw impacting VMware Aria Operations for Networks (formerly vRealize Network Insight).

The flaw, tracked as CVE-2023-34039, is rated 9.8 out of a maximum of 10 for severity and has been described as a case of authentication bypass due to a lack of unique cryptographic key generation.

β€œA malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI,” VMware said earlier this week.

Summoning Team’s Sina Kheirkhah, who published the PoC following an analysis of the patch released by VMware, said the root cause can be traced back to a bash script containing a method named refresh_ssh_keys(), which is responsible for overwriting the current SSH keys for the support and ubuntu users in the authorized_keys file.

β€œThere is SSH authentication in place; however, VMware forgot to regenerate the keys,” Kheirkhah said. β€œVMware’s Aria Operations for Networks had hard-coded its keys from version 6.0 to 6.10.”

Cybersecurity

VMware’s latest fixes also address CVE-2023-20890, an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution.

In other words, a threat actor could leverage the PoC to obtain admin access to the device and exploit CVE-2023-20890 to run arbitrary payloads, making it crucial that users apply the updates to secure against potential threats.

The release of the PoC coincides with the virtualization technology giant issuing fixes for a high-severity SAML token signature bypass flaw (CVE-2023-20900, CVSS score: 7.5) across several Windows and Linux versions of VMware Tools.

β€œA malicious actor with man-in-the-middle (MITM) network positioning in the virtual machine network may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations,” the company said in an advisory released Thursday.

Peter StΓΆckli of GitHub Security Lab has been credited with reporting the flaw, which affects the following versions -

  • VMware Tools for Windows (12.x.x, 11.x.x, 10.3.x) - Fixed in 12.3.0
  • VMware Tools for Linux (10.3.x) - Fixed in 10.3.26
  • Open-source implementation of VMware Tools for Linux or open-vm-tools (12.x.x, 11.x.x, 10.3.x) - Fixed in 12.3.0 (to be distributed by Linux vendors)

The development also comes as Fortinet FortiGuard Labs warned of continued exploitation of Adobe ColdFusion Vulnerabilities by threat actors to deploy cryptocurrency miners and hybrid bots such as Satan DDoS (aka Lucifer) and RudeMiner (aka SpreadMiner) that are capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks.

Also deployed is a backdoor named BillGates (aka Setag), which is known for hijacking systems, stealing sensitive information, and initiating DDoS attacks.

Found this article interesting? Follow us on Twitter ο‚™ and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.945 High

EPSS

Percentile

99.2%