• Post author:
  • Reading time:7 mins read
You are currently viewing Critical VMware Aria Vulnerability: What You Need to Know


VMware Aria Operations for Networks, previously known as vRealize Network Insight, recently witnessed a significant vulnerability. This flaw, identified as CVE-2023-34039, scored a concerning 9.8 out of 10 in terms of severity. It’s rooted in the absence of a unique cryptographic key generation, making it a pressing issue of authentication bypass.

To put it in simpler terms, if someone with malicious intent gains network access to Aria Operations, they could potentially override SSH authentication. This would grant them unrestricted access to the Aria Operations for Networks Command Line Interface (CLI).


The Origin of the VMware Aria Vulnerability

The Summoning Team’s expert, Sina Kheirkhah, delved deeper into this vulnerability post the release of VMware‘s patch. His investigation pointed to a bash script which houses a function named refresh_ssh_keys(). This function seems to overwrite existing SSH keys of two user roles, ‘support’ and ‘ubuntu’, present in the authorized_keys file.

The Origin of the VMware Aria Vulnerability post the release of VMware's patch
The Origin of the VMware Aria Vulnerability post the release of VMware’s patch


This reveals a significant oversight by VMware: there was no regeneration of the SSH keys. Shockingly, from versions 6.0 to 6.10 of VMware’s Aria Operations for Networks, the keys had been hardcoded.


Other Notable Vulnerabilities

Apart from the aforementioned flaw, VMware recently rectified another vulnerability, CVE-2023-20890. This vulnerability could allow a person with administrative rights to write files wherever they wish, potentially executing code remotely.

To understand the gravity, imagine a malicious user utilizing the proof-of-concept (PoC) to gain admin privileges. With this level of access, they could exploit CVE-2023-20890 to run any code of their choice. This scenario underscores the absolute necessity for users to promptly apply available updates.

Moreover, VMware has released fixes for another high-level flaw, CVE-2023-20900, which is a SAML token signature bypass vulnerability. This flaw affects multiple VMware Tools versions on both Windows and Linux platforms. The potential risk here? A cyber attacker, positioned in the middle of a virtual machine network, might bypass the SAML token signature verification, granting them undue powers.

Acknowledging Peter Stöckli from the GitHub Security Lab, the following versions have been impacted and subsequently fixed:

  • VMware Tools for Windows (12.x.x, 11.x.x, 10.3.x) – Patch available in 12.3.0.
  • VMware Tools for Linux (10.3.x) – Rectified in version 10.3.26.
  • Open-source iteration of VMware Tools for Linux (12.x.x, 11.x.x, 10.3.x) – Fix released in 12.3.0, awaiting distribution by Linux vendors.


Rise in Exploitation of Other Software

This surge in vulnerabilities isn’t unique to VMware. Fortinet FortiGuard Labs has raised alarms about the increased exploitation of Adobe ColdFusion vulnerabilities. Malicious actors are leveraging these flaws to launch cryptocurrency miners and hybrid bots like Satan DDoS (Lucifer) and RudeMiner (SpreadMiner). These bots are notorious for cryptojacking and initiating distributed denial-of-service (DDoS) attacks.

Furthermore, a backdoor titled ‘BillGates’ (or Setag) has been observed. This malicious software is adept at commandeering systems, pilfering confidential data, and kickstarting DDoS assaults.


Conclusion

The recent vulnerabilities in VMware Aria and other software emphasize the critical need for continuous vigilance in the cybersecurity domain. Organizations and individual users must prioritize timely updates and be wary of potential threats to ensure data safety and system integrity. Given the complexity of today’s digital landscape, proactive measures are the best defense.

As the cybersecurity landscape continues to evolve, it is essential to stay informed about emerging threats and developments. I would highly suggest you to visit our Cyber Safety section to enhance your defenses and stay ahead of evolving cyber threats.

If you found these cybersecurity updates valuable, don’t miss out on more exclusive content. Follow us on Twitter and Instagram to stay informed about emerging threats and developments. Join our community and gain access to the latest cybersecurity trends to bolster your defense against evolving risks.

This:

Avani Deshpande

Hello to all tech enthusiasts. I'm Avani, and at TheTechDelta, I focus on the critical area of cyber safety & security. Our digital world is filled with both opportunities and risks. My aim is to help you navigate this complex terrain, offering insights from data breaches to identity theft prevention. With TheTechDelta's Cyber Safety section, you can confidently harness technology while ensuring your online world remains secure. Join me, and together, let's foster a safer digital experience.

Leave a Reply