ProjectDiscovery Research analysts discovered a critical SSH authentication bypass vulnerability in VMware's Aria Operations for Networks tool, formerly known as vRealize Network Insight. The vulnerability, identified as CVE-2023-34039, was patched by VMware with the release of version 6.11. The exploit allows remote attackers to bypass SSH authentication on unpatched appliances, accessing the tool's command line interface in low-complexity attacks that don't need user interaction. This is due to what VMware describes as "a lack of unique cryptographic key generation."
To address the vulnerability, VMware strongly advises applying security patches for Aria Operations for Networks versions 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10, as detailed in their support document. The company confirmed that the exploit code for CVE-2023-34039 has been published online, two days after the critical security bug was disclosed.
The proof-of-concept (PoC) exploit targets all Aria Operations for Networks versions from 6.0 to 6.10. It was developed and released by Summoning Team vulnerability researcher Sina Kheirkhah. Kheirkhah explained that the issue stems from hardcoded SSH keys which remained as VMware neglected to regenerate SSH authorized keys. "Each version of VMware's Aria Operations for Networks has a unique SSH key. To create a fully functional exploit, I had to collect all the keys from different versions of this product," Kheirkhah said.
In addition to this, VMware patched an arbitrary file write vulnerability (CVE-2023-20890) this week, which enables attackers to gain remote code execution after obtaining admin access to the targeted appliance. This could potentially allow them to gain root permissions following successful attacks. In July, VMware alerted customers that exploit code for a critical RCE flaw (CVE-2023-20864) in the VMware Aria Operations for Logs analysis tool, patched in April, was released online. A month prior, the company issued another warning about the active exploitation of another Network Insight critical bug (CVE-2023-20887) that could lead to remote command execution attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) instructed U.S. federal agencies to patch their systems against CVE-2023-20887 by July 13th after adding it to its list of known exploited vulnerabilities. Administrators are strongly advised to update their Aria Operations for Networks appliances to the latest version as soon as possible as a precautionary measure against potential future attacks. Despite the relatively low number of VMware vRealize instances exposed online, it is consistent with the intended use of these appliances on internal networks.