VMware warned customers on Monday that proof-of-concept exploit code is now available for an authentication bypass flaw in vRealize Log Insight. "Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," the company said in an update to the original advisory. Tracked as CVE-2023-34051, it allows unauthenticated attackers to execute code remotely with root permissions if certain conditions are met. Successful exploitation hinges on the attacker compromising a host within the targeted environment and possessing permissions to add an extra interface or static IP address, according to Horizon3 security researchers who discovered the bug. Horizon3 published a technical root cause analysis for this security flaw on Friday with additional information on how CVE-2023-34051 can be used to gain remote code execution as root on unpatched VMware appliances. The security researchers also released a PoC exploit and a list of indicators of compromise that network defenders could use to detect exploitation attempts within their environments. "This POC abuses IP address spoofing and various Thrift RPC endpoints to achieve an arbitrary file write," the Horizon3 Attack Team said. "For this attack to work, an attacker must have the same IP address as a master /worker node." This vulnerability is also a bypass for an exploit chain of critical flaws patched by VMware in January, enabling attackers to gain remote code execution. The first is a directory traversal bug, the second is a broken access control flaw, while the third, an information disclosure bug, allows attackers to gain access to sensitive session and application info,. Attackers can chain these vulnerabilities to inject maliciously crafted files into the operating system of VMware appliances running unpatched Aria Operations for Logs software. When Horizon3 security researchers released a VMSA-2023-0001 PoC exploit one week after the company pushed security updates, they explained that their RCE exploit "Abuses the various Thrift RPC endpoints to achieve an arbitrary file write." "This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payloads," they said. Threat actors frequently exploit vulnerabilities within previously compromised networks for lateral movement, making vulnerable VMware appliances valuable internal targets. In June, VMware warned customers about another critical remote code execution vulnerability in VMware Aria Operations for Networks being exploited in attacks. Exploit available for critical WS FTP bug exploited in attacks. Exploit released for critical VMware SSH auth bypass vulnerability. VMware Aria vulnerable to critical SSH authentication bypass flaw. Exploit released for Ivanti Sentry bug abused as zero-day in attacks. Cisco warns of new IOS XE zero-day actively exploited in attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000