VMware remediates critical and high-severity vulnerabilities

Home / Threat Intelligence bulletins / VMware remediates critical and high-severity vulnerabilities

Target Industry

Indiscriminate, opportunistic targeting.

Overview

VMware has released security patches addressing critical and high-severity level security vulnerabilities in VMware Aria Operations for Networks (previously named vRealize Network Insight), an analytics tool that allows administrators to optimise network performance as well as manage VMware and Kubernetes deployments. The related vulnerabilities are:

  • CVE-2023-20887 (CVSSv3 base score: 9.8) – Command injection vulnerability
  • CVE-2023-20888 (CVSSv3 base score: 9.1) – Authenticated deserialization vulnerability
  • CVE-2023-20889 (CVSSv3 base score: 8.8) – Information disclosure vulnerability.

On the 20th of June 2023 VMware confirmed that CVE-2023-20887 has been actively exploited in the wild. Scanning operations were detected with regards to a Proof-of-Concept (PoC) code relating to the vulnerability, in an attempt to launch a reverse shell that connects to threat actor servers”.

Impact

  • Successful exploitation of CVE-2023-20887 could allow a threat actor with network access to VMware Aria Operations for Networks to perform a command injection attack resulting in remote code execution
  • Successful exploitation of CVE-2023-20888 could allow a threat actor with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials to perform a deserialization attack resulting in remote code execution
  • Successful exploitation of CVE-2023-20889 could allow a threat actor with network access to VMware Aria Operations for Networks to perform a command injection attack resulting in information disclosure

Vulnerability Detection

VMware has released security updates with regards to these vulnerabilities. As such, previous versions are vulnerable to potential exploit.

Affected Products

Aria Operations for Networks.

Containment, Mitigations & Remediations

No workarounds are available for these vulnerabilities at the time of writing. As such, it is strongly recommended that administrators apply the patches to all VMware Aria Operations Networks 6.x versions, which can be found in the Addressing CVE-2023-20887, CVE-2023-20888, CVE-2023-20889 in VMware Aria Operations for Networks (Formerly vRealize Network Insight) On-Prem installations (92684).

To apply the respective security patches, follow these steps:

  • Download the update patch file
  • Upload the patch file while being logged in as the administrator
  • Install the file by navigating to Settings > Install and Support > Overview and Updates.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

VMware occupies a significant proportion of the virtualisation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, VMware products have become a prime target for threat actors. Due to the fact that virtual machines have become an integral aspect of both personal and business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive information contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:

TA0002 – Execution

Further Information

VMware Advisory

VMSA-2023-0012.2 (vmware.com)

Intelligence Terminology Yardstick