Virtualization services provider VMware has issued a warning to its customers regarding high-severity bugs affecting its Aria Operations for Logs software. These bugs include an authentication bypass vulnerability (CVE-2023-34051) and a deserialization vulnerability (CVE-2023-34052) [2].
Description
The authentication bypass vulnerability (CVE-2023-34051) allows unauthenticated attackers to remotely execute code with root permissions under certain conditions [7]. It was discovered and reported by the Horizon3 security research team. The team has also released a proof-of-concept exploit code for this vulnerability, prompting VMware to revise its advisory [5]. To exploit this vulnerability [4] [6], the attacker must compromise a host within the targeted environment and have permissions to add an extra interface or static IP address [6] [7]. The exploit abuses IP address spoofing and Thrift RPC endpoints to achieve arbitrary file write and create a reverse shell [6] [7]. It is important to note that CVE-2023-34051 is a patch bypass for critical flaws addressed by VMware earlier this year [5], highlighting the importance of defense in depth [5]. VMware customers are advised to apply patches to address this flaw [3].
VMware has confirmed the availability of exploit code for CVE-2023-34051 in an update to their original advisory [1]. The deserialization vulnerability (CVE-2023-34052) is caused by an incomplete fix for previously disclosed issues. VMware had closed a bug in its Thrift services [2], but the patch only blocked access to Thrift services by IP and did not fix the other vulnerabilities [2]. As a result [2], an attacker can spoof their IP address and use the previous attack [2]. The attack requires at least two instances of VMware vRealize Log Insight in a master/worker configuration and an attacker machine with the same source IP address as the worker node [2]. Proof-of-concept code for this attack is available on GitHub [2]. These vulnerabilities were found in VMware Aria Operations for Logs [4], which is the new name for vRealize Log Insight.
Conclusion
These vulnerabilities pose significant risks to VMware customers using Aria Operations for Logs. The authentication bypass vulnerability allows for remote code execution with root permissions, while the deserialization vulnerability can be exploited by spoofing IP addresses. VMware has released patches to address these flaws, and customers are strongly advised to apply them promptly. The availability of exploit code and proof-of-concept attacks highlights the urgency of mitigating these vulnerabilities. Moving forward, it is crucial for organizations to prioritize defense in depth and regularly update their software to protect against emerging threats.
References
[1] https://cyber.vumetric.com/security-news/2023/10/24/vmware-warns-admins-of-public-exploit-for-vrealize-rce-flaw/
[2] https://www.itnews.com.au/news/vmware-warns-to-patch-now-against-exploitable-bugs-601624
[3] https://duo.com/decipher/vmware-fixes-critical-severity-vcenter-server-bug
[4] https://www.hkcert.org/security-bulletin/vmware-aria-operations-for-logs-multiple-vulnerabilities_20231025
[5] https://thehackernews.com/2023/10/alert-poc-exploits-released-for-citrix.html
[6] https://www.computing.co.uk/news/4138333/vmware-warns-admins-public-exploit-vrealize-rce-flaw
[7] https://www.redpacketsecurity.com/vmware-warns-admins-of-public-exploit-for-vrealize-rce-flaw/
