CISA has urged VMware users to immediately apply patches for Aria Operations for Networks following the discovery of “multiple” critical vulnerabilities in the network management tool.
The first vulnerability, tracked as CVE-2023-34039, is an SSH authentication bypass flaw discovered by security experts at ProjectDiscovery Research and reported to the firm last week.
VMware said the vulnerability emerged due to a “lack of unique cryptographic key generation”, and would enable threat actors to bypass SSH authentication to access the Aria tool’s command line.
“A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI,” VMware said in its advisory.
“VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.”
VMware confirmed on Friday that exploit code for CVE-2023-34039 has been published, and advised customers to apply patches for versions 6.2 through to 6.10.
A second flaw, tracked as CVE-2023-20890, was revealed as an arbitrary file write vulnerability with a CVSSv3 score of 7.2, marking it as “important”.
This flaw would allow an unauthenticated user with administrative access to Aria Operations for Networks to “write files to arbitrary locations” and enable remote code execution.
VMware “forgot to regenerate keys”
Analysis of CVE-2023-34039 from researchers at Summoning Team found that the cause of the vulnerability was due to the fact that VMware “forgot” to regenerate SSH authentication keys.
RELATED RESOURCE
See how you can transform your IT security operations with a single platform.
“VMware has named this issue “Networks Authentication Bypass”, but in my opinion, nothing is getting bypassed,” Sina Kheirkhah wrote in a blog post.
“There is SSH authentication in place; however, VMware forgot to regenerate the keys.”
Kheirkhah said an underlying factor in the flaw was that Aria Operations for Networks had “hardcoded” authentication keys across multiple versions spanning from 6.0 to 6.10.
Repeated vulnerability disclosures
This latest vulnerability disclosure from VMware marks the third in as many months for the company.
The firm revealed that exploit code has been exposed online for a critical remote code execution flaw affecting Aria Operations for Logs in July.
Meanwhile, in June CISA urged US government agencies to issue a patch for an actively-exploited command injection vulnerability in the network monitoring platform. Tracked as CVE-2023-20887, the flaw would enable threat actors to perform remote code execution.
“A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution,” the firm said at the time.
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Threat actors are exploiting a VMware ESXi bug which could be “catastrophic” for affected firmsNews The VMware ESXi hypervisor has become a favorite target in the digital extortion community, according to researchers
-
Everything you need to know about the VMware vCenter Server vulnerabilityNews A critical flaw in the VMware vCenter Server management software has been exploited in the wild by a Chinese hacking group since late 2021
-
VMware’s ESXi security issues spur new ransomware gang into actionNews The popularity of ESXi combined with a lack of security tools makes it an “attractive target” for threat actors
-
Warning issued over ransomware attacks targeting VMware ESXi servers globallyNews Businesses have been urged to patch the two-year-old vulnerability amidst heightened ransomware threats
-
Linux-based Cheerscrypt ransomware found targeting VMware ESXi serversNews Cheerscrypt malware could cause severe disruption to companies using the virtualisation software
-
US security agency issues emergency alert over vulnerable VMware productsNews A string of actively exploited critical vulnerabilities across five popular VMware products has been described as an "unacceptable risk" to government systems
-
Rackspace partners with Cohesity on new data protection services for VMware workloadsNews Deal aims to eliminate legacy backup silos and provide comprehensive protection against the “array of rising data threats”
