On Monday, VMware warned its customers about the existence of a proof-of-concept (PoC) exploit code for an authentication bypass flaw in its product, vRealize Log Insight, now renamed as VMware Aria Operations for Logs. The company confirmed that the exploit code for the flaw, identified as CVE-2023-34051, has been published. This flaw enables unauthenticated attackers to execute code remotely with root permissions under specific conditions.
An attacker would need to compromise a host within the targeted environment and have permissions to add an extra interface or static IP address for successful exploitation, as per the security researchers from Horizon3 who discovered the bug. Horizon3 released a technical root cause analysis of this security flaw, providing more details on how CVE-2023-34051 can be used for remote code execution as root on unpatched VMware appliances.
Along with the analysis, Horizon3 also released a PoC exploit and a list of indicators of compromise (IOCs) to assist network defenders in detecting exploitation attempts. The Horizon3 Attack Team explained, "This POC abuses IP address spoofing and various Thrift RPC endpoints to achieve an arbitrary file write." They further clarified that for the attack to work, the attacker must possess the same IP address as a master/worker node.
This vulnerability is also a workaround for a chain of critical flaws that VMware patched in January, which allowed attackers to execute code remotely. These flaws include a directory traversal bug (CVE-2022-31706), a broken access control flaw (CVE-2022-31704), and an information disclosure bug (CVE-2022-31711) that could give attackers access to sensitive session and application info. Collectively known as VMSA-2023-0001, these vulnerabilities can be exploited to inject maliciously crafted files into the operating system of VMware appliances running unpatched Aria Operations for Logs software.
The Horizon3 security researchers explained that their remote code execution exploit, released a week after VMware pushed security updates, "abuses the various Thrift RPC endpoints to achieve an arbitrary file write." They added that although the vulnerability is easy to exploit, the attacker needs to have some infrastructure set up to serve malicious payloads. Furthermore, since the product is unlikely to be exposed to the internet, the attacker probably has already established a foothold somewhere else on the network. However, threat actors often exploit vulnerabilities within previously compromised networks for lateral movement, making vulnerable VMware appliances attractive internal targets.
In June, VMware had alerted its customers about another critical remote code execution vulnerability in VMware Aria Operations for Networks (tracked as CVE-2023-20887) being exploited in attacks.