A recently disclosed critical vulnerability in VMware Aria Operations for Networks (formerly vRealize Network Insight) has been actively exploited in attacks, prompting VMware to issue an updated security advisory. This blog highlights the key facts about the severity, impacted versions, and relevant links to help you stay informed and secure.
Important Facts
Severity: The vulnerability, known as CVE-2023-20887, allows remote code execution and has been classified as critical. VMware has confirmed that exploitation of this vulnerability has occurred in the wild.
Impacted Versions: The vulnerability affects VMware Aria Operations for Networks (vRealize Network Insight) versions 6.x. Administrators using these on-prem installations should take immediate action.
Exploit Details: The vulnerability involves command injection through the Apache Thrift RPC interface. Unauthenticated threat actors can execute arbitrary commands on the underlying operating system as the root user without user interaction.
Security Researcher and Proof-of-Concept: Security researcher Sina Kheirkhah shared technical details and proof-of-concept exploit code, raising awareness about the vulnerability.
GreyNoise Warnings: Cybersecurity firm GreyNoise issued warnings about the exploitation attempts just one week after VMware patched the flaw. They observed mass-scanning activity using the provided proof-of-concept code.
Patching and Mitigation: To secure your VMware Aria Operations for Networks installations, it is crucial to apply the available security patches. No workarounds are available to remove the attack vector for CVE-2023-20887.
References
Official VMware Security Advisory: Addressing CVE-2023-20887, CVE-2023-20888, CVE-2023-20889 in VMware Aria Operations for Networks (Formerly vRealize Network Insight) On-Prem installations (92684)
Technical Details and Root Cause Analysis: GitHub - sinsinology/CVE-2023-20887: VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887)
IP Address Tracking: VMWare Aria Operations for Networks RCE Attempt | GreyNoise Visualizer
Conclusion
The active exploitation of the critical VMware vulnerability (CVE-2023-20887) underscores the importance of prompt action. Administrators using VMware Aria Operations for Networks must ensure they have patched their installations to mitigate the risk of remote code execution. Stay informed by referring to the official VMware Security Advisory, relevant research, and monitoring IP addresses associated with exploit attempts.