CVE-2023-20887: VMware Aria Operations for Networks Command Injection
VMware issues advisory to address three flaws in its VMware Aria Operations for Networks solution, including a critical command injection flaw assigned a CVSSv3 score of 9.8.
Update June 20: Updated the Analysis section to include a note on the confirmed in-the-wild exploitation of CVE-2023-20887.
Background
On June 7, VMware published an advisory (VMSA-2023-0012.1) to address three vulnerabilities in VMware Aria Operations for Networks, formerly known as vRealize Network Insight (vRNI), a solution for building secure network infrastructure in hybrid and multi-cloud environments. Two of the vulnerabilities disclosed in this advisory are rated as critical.
CVE | Description | CVSSv3 | VPR* |
---|---|---|---|
CVE-2023-20887 | Aria Operations for Networks Command Injection Vulnerability | 9.8 | 9.0 |
CVE-2023-20888 | Aria Operations for Networks Authenticated Deserialization Vulnerability | 9.1 | 7.4 |
CVE-2023-20889 | Aria Operations for Networks Information Disclosure Vulnerability | 8.8 | 4.4 |
*Please note: Tenable’sVulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on June 14 and reflects VPR at that time.
All three of the flaws were reported to VMware via Trend Micro’s Zero Day Initiative (ZDI) and two of the three were credited to Sina Kheirkhah (@SinSinology) of Summoning Team. A blog post on Summoning Team’s website was released which details the exploitation process of CVE-2023-20887. The blog post also acknowledges that another anonymous researcher reported the flaw to ZDI first and VMware’s advisory attributed CVE-2023-20887 to “Anonymous” working with ZDI.
Analysis
CVE-2023-20887 is a command injection vulnerability in VMware Aria Operations for Networks which can be leveraged to achieve remote code execution (RCE). As described in the blog post by Summoning Team, this vulnerability exists due to a chain of two issues. The first issue is the command injection flaw, but to reach the vulnerable code, a request must be made to an endpoint that should be denied due to the nginx rule set. However, the blog points out that the rule can be bypassed with a specially crafted request. By chaining these two issues together in a crafted request, it would allow an unauthenticated attacker to achieve RCE.
CVE-2023-20888 is a deserialization vulnerability in VMware Aria Operations for Networks. An authenticated attacker with credentials for a valid ‘member’ role could use a crafted request to perform a deserialization attack that would result in RCE.
CVE-2023-20889 is an information disclosure vulnerability in VMware Aria Operations for Networks. An authenticated attacker with network access could perform a command injection attack which would result in the disclosure of data.
CVE-2023-20887 is reportedly a patch bypass of CVE-2022-31702
According to a tweet by researcher Y4er, CVE-2023-20887 is reportedly a patch bypass for CVE-2022-31702, another critical command injection vulnerability in vRNI that was patched by VMware in December 2022. More details on CVE-2022-31702 and the patch bypass can be found in this blog post.
Great article! But I think you are missing a very critical part, CVE-2023-20887 is actually a patch bypass for CVE-2022-31702.
— Y4er (@Y4er_ChaBug) June 14, 2023
This is an analysis article I wrote, please read it and correct me.https://t.co/NjU1xuGsaI https://t.co/R88WHvPzj3
VMware confirms in-the-wild exploitation of CVE-2023-20887
On June 20, VMware updated its advisory to confirm that exploitation of CVE-2023-20887 "has occurred in the wild." Researchers at GreyNoise recently confirmed in a blog post on June 15 that they observed "attempted mass-scanning activity" using a publicly available proof-of-concept (PoC). No additional information on the confirmed in-the-wild exploitation is known.
Proof of concept
A PoC for CVE-2023-20887 has been published to GitHub and it was also included in the blog post by Summoning Team. At the time this blog post was published on June 14, no PoC code was available for the other two CVEs.
Solution
VMware released fixed versions of VMware Aria Operations for Networks to address these flaws. The fixed versions and patching instructions can be found in KB92684 and are included in the following table.
Affected Versions | Fixed Build |
---|---|
6.2.0 | 1684162127 |
6.3.0 | 1684163738 |
6.4.0 | 1684166601 |
6.5.1 | 1684151627 |
6.6.0 | 1684154516 |
6.7.0 | 1684151941 |
6.8.0 | 1684995353 |
6.9.0 | 1684998280 |
6.10.0 | 1685358321 |
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- VMware VMSA-2023-0012.1 Advisory
- VMware KB92684 : Addressing CVE-2023-20887, CVE-2023-20888, CVE-2023-20889 in VMware Aria Operations for Networks (Formerly vRealize Network Insight) On-Prem installations (92684)
- Summoning Team Blog: Pre-authenticated RCE in VMware vRealize Network Insight CVE-2023-20887
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Change Log
Update June 20: Updated the Analysis section to include a note on the confirmed in-the-wild exploitation of CVE-2023-20887.
Related Articles
- Exposure Management