Critical Exploit in VMware vRealize: A Call for Urgent Patching

July 10, 2023

VMware has alerted its customers about the existence of exploit code for a critical flaw (CVE-2023-20864) in the VMware Aria Operations for Logs analysis tool. This tool is used by administrators to manage large amounts of application and infrastructure logs in large-scale environments. The vulnerability, which was patched in April, is a deserialization issue that allows unauthenticated attackers to gain remote execution on unpatched appliances. Successful exploitation of this flaw allows threat actors to execute arbitrary code as root after low-complexity attacks that do not require user interaction.

"VMware has confirmed that exploit code for CVE-2023-20864 has been published," the company stated in an update to the initial security advisory. "CVE-2023-20864 is a critical issue and should be patched immediately as per the instructions in the advisory."

In April, VMware also released security updates to address a less severe command injection vulnerability (CVE-2023-20865) that allows remote attackers with administrative privileges to execute arbitrary commands as root on vulnerable appliances. Both vulnerabilities have been addressed with the release of VMware Aria Operations for Logs 8.12. Currently, there is no evidence to suggest these vulnerabilities are being exploited in attacks.

More recently, VMware issued another alert about a now-patched critical bug (CVE-2023-20887) in VMware Aria Operations for Networks (previously known as vRealize Network Insight). This vulnerability allows for remote command execution as the root user and is being actively exploited in attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has included this flaw in its list of known exploited vulnerabilities and has mandated U.S. federal agencies to apply security updates by July 13th.

Given these developments, administrators are strongly encouraged to apply the CVE-2023-20864 patches as a precaution against potential future attacks. Despite the relatively low number of online-exposed VMware vRealize instances, these appliances are primarily designed for internal network access within organizations. It is worth noting that threat actors often exploit vulnerabilities present in devices within compromised networks. As a result, even properly configured VMware appliances that remain vulnerable can become attractive targets within the internal infrastructure of targeted organizations.

Related News

• CISA Updates Known Exploited Vulnerabilities Catalog with Six New Flaws
• Critical VMware vRealize Vulnerability Actively Exploited
• VMware Patches Critical Vulnerability in vRealize Network Analytics Tool
• VMware Addresses Critical Security Flaws in Logging Product

Latest News

• Apple Rolls Out Urgent Security Update to Address Active Zero-Day Exploits
• PoC Exploit Released for Recent Ubiquiti EdgeRouter Flaw
• RomCom RAT Cyber Attacks Target NATO Summit and Ukraine Support Groups
• CISA Directs Government Agencies to Patch Actively Exploited Android Driver
• Mastodon Patches Critical TootRoot Bug and Other Vulnerabilities