Rewterz Threat Update – Update on Active Exploitation of Critical VMware Vulnerability

Severity

High

Analysis Summary

VMware has issued a warning stating that a critical command injection vulnerability in Aria Operations for Networks, formerly known as vRealize Network Insight, is actively being exploited in the wild. The vulnerability, identified as CVE-2023-20887, enables a malicious actor with network access to execute remote code by performing a command injection attack.

This security flaw affects VMware Aria Operations Networks versions 6.x, and the company has released fixes for it in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10, which were made available on June 7, 2023.

According to an update shared by VMware on June 20, the vulnerability has been weaponized and is actively being exploited in real-world attacks. However, the exact details of these attacks are currently unknown.

VMware confirmed the exploitation of CVE-2023-20887, and data from threat intelligence firm GreyNoise revealed ongoing exploitation originating from two different IP addresses located in the Netherlands.

The disclosure of this vulnerability comes after a researcher named Sina Kheirkhah, from the Summoning Team, identified and reported the flaw. Kheirkhah has also released a proof-of-concept (PoC) demonstrating the exploitation of the vulnerability. The PoC highlights that the vulnerability consists of a chain of two issues that can be leveraged by unauthenticated attackers to achieve remote code execution (RCE).

The rapid exploitation of newly disclosed vulnerabilities by both state-sponsored actors and financially motivated groups continues to pose a significant threat to organizations worldwide. This recent disclosure follows a report from Mandiant that uncovered active exploitation of another VMware vulnerability (CVE-2023-20867) by a suspected Chinese actor named UNC3886, who utilized it to backdoor Windows and Linux hosts.

Impact

• Command Execution
• Remote Code Execution

Remediation

• Update Aria Operations for Networks to the latest version provided by VMware, which includes the necessary security patches and fixes for the command injection vulnerability.
• Implement robust network monitoring and intrusion detection systems to detect and respond to any malicious activity targeting the vulnerability.
• Restrict network access to the vulnerable system by employing network segmentation, firewalls, and access controls to limit exposure and potential exploitation.
• Educate users and system administrators about the existence and impact of the vulnerability, emphasizing the importance of promptly applying updates and following secure coding practices.
• Conduct regular security assessments, including vulnerability scans and penetration testing, to identify and address any potential security weaknesses in the infrastructure.
• Establish incident response procedures and ensure that the appropriate teams are trained and prepared to handle any potential security incidents or breaches related to the vulnerability.
• Engage with the vendor and security community to stay informed about any further developments or recommendations regarding the vulnerability and its remediation.