Experts released PoC exploit code for VMware Aria Operations for Logs flaw. Patch it now!
October 24, 2023
VMware is aware of the availability of a proof-of-concept (PoC) exploit code for an authentication bypass flaw in VMware Aria Operations for Logs.
VMware warned customers of the availability of a proof-of-concept (PoC) exploit code for an authentication bypass vulnerability, tracked as CVE-2023-34051, in VMware Aria Operations for Logs (formerly known as vRealize Log Insight).
The vulnerability CVE-2023-34051 (CVSS score 8.1) is an authentication bypass vulnerability in VMware Aria Operations for Logs.
“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.” reads the advisory published by the virtualization giant.
“Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published”.
The vulnerability was discovered by cybersecurity firm Horizon3, which published a technical analysis of the flaw.
Earlier this year, the security firm published technical information on VMSA-2023-0001, which impacted VMware Aria Operations for Logs (formerly VMware vRealize Log Insight). The researchers demonstrated how an attacker could exploit three distinct CVEs to achieve remote code execution. While investigating the issues, the researchers discovered that the solution provided by VMware was not able to completely address the flaws. The researchers promptly reported this new issue to VMware, and it has been addressed in VMSA-2023-0021.
The indicators of compromise for this vulnerability are the same released for the VMSA-2023-0001.
The cyber security firm also released a PoC exploit for this vulnerability.
“This POC abuses IP address spoofing and various Thrift RPC endpoints to achieve an arbitrary file write.” reads the advisory published by Horizon3. “The default configuration of this vulnerability writes a cron job to create a reverse shell. Be sure to change the payload file to suit your environment.” “For this attack to work, an attacker must have the same IP address as a master /worker node.” “For this attack to work, an attacker must have the same IP address as a master /worker node. See blog above for more details.“
(SecurityAffairs – hacking, VMware Aria Operations for Logs)