VMware has released a security advisory to address multiple critical vulnerabilities affecting Aria Operations for Networks (formerly vRealize Network Insight). CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889 have been given Critical and Important Severity ratings with CVSS scores of 9.8, 9.1, and 8.8, respectively. Successful exploitation of these vulnerabilities may allow an attacker to perform command injection and/or exploit a deserialization vulnerability. In addition, it may lead to information disclosure.
CISA has added CVE-2023-20887 to its Known Exploited Vulnerabilities Catalog and urged users to patch it before July 13th, 2023.
VMware Aria Operations for Networks is a network and application monitoring tool. The tool helps monitor, discover, and analyze networks and applications to build a secure network infrastructure across clouds. Besides, the tool has multi-cloud migration, application discovery and visibility, and enhanced troubleshooting.
CVE-2023-20887: Aria Operations for Networks Command Injection Vulnerability
An attacker is required to have network access to the Aria Operations for Networks to exploit this command injection vulnerability. A malicious attacker may perform remote code execution on successful exploitation.
CVE-2023-20888: Aria Operations for Networks Authenticated Deserialization Vulnerability
To exploit this vulnerability, an attacker must have network access to VMware Aria Operations for Networks and valid ‘member’ role credentials. On successful exploitation of this vulnerability, a malicious actor may be able to conduct a deserialization attack leading to remote code execution.
CVE-2023-20889: Aria Operations for Networks Information Disclosure Vulnerability
An attacker with network access to VMware Aria Operations for Networks may exploit this vulnerability. A malicious attacker may perform a command injection attack resulting in information disclosure.
Exploitation Analysis (CVE-2023-20887)
An attacker may perform a chain of attacks by exploiting two vulnerabilities to perform remote code execution on the affected system.
/etc/nginx/sites-available/vnera has an Nginx configuration that restricts access to the endpoint /saasresttosaasservlet when called from port 443. If an attacker sends a request to this endpoint from a localhost, it will be successful. The request will be a proxy for the Apache Thrift RPC Server running on port 9090.
Apache Thrift is a software framework used for scalable cross-language services development. The software framework combines a software stack with a code generation engine to build services that work efficiently between C++, Java, Python, PHP, and other languages.
The data types and service interfaces are defined in Apache Thrift using a straightforward definition file. The compiler uses that file as input and produces code that can be used to create RPC clients and servers quickly and easily, enabling cross-language communication.
The RPC server architecture contains the endpoint /resttosaasservlet on port 9090 that responds with the RestToSaasCommunication service. This Thrift endpoint performs many procedures, one of which is createSupportBundle. The procedure takes care of support bundle creation, as its name suggests.
The nodeID passed to the ScriptUtils.class#evictPublishedSupportBundles. The method performs basic checks to ensure the arguments are not empty by construing commands.
The endpoint evictPublishedSupportBundles is vulnerable to a command injection by placing the nodeId inside a command. By crafting a Thrift RPC request, an attacker may exploit the createSupportBundle, but access to this thrift endpoint from outside is restricted by Ngnix configuration.
Bypassing the Ngnix configuration
An attacker may send a specially crafted request to bypass the configuration and exploit the vulnerability.
Affected versions
The vulnerabilities affect VMware Aria Operations for Networks 6.x versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10.
Mitigation
Customers are requested to upgrade to the latest versions of VMware Aria Operations for Networks to patch the vulnerabilities.
For more information, please refer to the VMware Advisory (VMSA-2023-0012).
Qualys Detection
Qualys customers can scan their devices with QID 730825 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.vmware.com/security/advisories/VMSA-2023-0012.html
https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/