CISA has urged VMware users to immediately apply patches for Aria Operations for Networks following the discovery of “multiple” critical vulnerabilities in the network management tool.
The first vulnerability, tracked as CVE-2023-34039, is an SSH authentication bypass flaw discovered by security experts at ProjectDiscovery Research and reported to the firm last week.
VMware said the vulnerability emerged due to a “lack of unique cryptographic key generation”, and would enable threat actors to bypass SSH authentication to access the Aria tool’s command line.
“A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI,” VMware said in its advisory.
“VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.”
VMware confirmed on Friday that exploit code for CVE-2023-34039 has been published, and advised customers to apply patches for versions 6.2 through to 6.10.
A second flaw, tracked as CVE-2023-20890, was revealed as an arbitrary file write vulnerability with a CVSSv3 score of 7.2, marking it as “important”.
This flaw would allow an unauthenticated user with administrative access to Aria Operations for Networks to “write files to arbitrary locations” and enable remote code execution.
VMware “forgot to regenerate keys”
Analysis of CVE-2023-34039 from researchers at Summoning Team found that the cause of the vulnerability was due to the fact that VMware “forgot” to regenerate SSH authentication keys.
See how you can transform your IT security operations with a single platform.
“VMware has named this issue “Networks Authentication Bypass”, but in my opinion, nothing is getting bypassed,” Sina Kheirkhah wrote in a blog post.
“There is SSH authentication in place; however, VMware forgot to regenerate the keys.”
Kheirkhah said an underlying factor in the flaw was that Aria Operations for Networks had “hardcoded” authentication keys across multiple versions spanning from 6.0 to 6.10.
Repeated vulnerability disclosures
This latest vulnerability disclosure from VMware marks the third in as many months for the company.
The firm revealed that exploit code has been exposed online for a critical remote code execution flaw affecting Aria Operations for Logs in July.
Meanwhile, in June CISA urged US government agencies to issue a patch for an actively-exploited command injection vulnerability in the network monitoring platform. Tracked as CVE-2023-20887, the flaw would enable threat actors to perform remote code execution.
“A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution,” the firm said at the time.
