The VMware critical command injection vulnerability, identified as CVE-2023-20887, is in Aria Operations for Networks, previously known as vRealize Network Insight.
In an update shared on June 20, VMware confirmed that the VMware critical command injection vulnerability has been weaponized in real-world attacks. However, specific details about the exploitation remain undisclosed.
The company recently patched the VMware critical command injection vulnerability, which enables a malicious actor with network access to execute a command injection attack, thereby achieving remote code execution.
VMware critical command injection vulnerability exploited
“VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild,” the VMware update on the vulnerability said.
“Aria Operations for Networks contains a command injection vulnerability. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.”
The vulnerability affects VMware Aria Operations Networks versions 6.x and has been addressed in the latest releases, including versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10, made available on June 7, 2023.
This disclosure follows a recent report by Mandiant, which exposed active exploitation of another flaw in VMware Tools (CVE-2023-20867) by a suspected Chinese actor known as UNC3886.
This actor utilized the vulnerability to establish backdoors on Windows and Linux hosts.
To mitigate potential risks, VMware advised users of Aria Operations for Networks to update to the latest available version promptly.
VMware vulnerability exploitation continues
VMware last week issued a security advisory revealing a critical flaw, designated as CVE-2023-20867, which involves an authentication bypass vulnerability.
This vulnerability poses a significant risk to the confidentiality and integrity of guest virtual machines as it allows a “fully compromised ESXi host to cause VMware Tools to fail to authenticate host-to-guest operations.”
Research conducted by Mandiant has shed light on the exploitation process of this flaw.
To exploit CVE-2023-20867, the attacker must have privileged account access to the ESXi host, while the targeted guest machine must have the VMware Tools software management application installed.
Once the attacker gains the necessary access, CVE-2023-20867 enables them to execute privileged actions on a compromised ESXi host without requiring authentication.
Concerningly, Mandiant has highlighted that “no logging events are generated by default when CVE-2023-20867 is successfully exploited.” This absence of logging events can create significant challenges for defenders during the incident response process.
The authentication bypass vulnerability present in VMware Tools raises concerns regarding the potential impact on defenders’ incident response capabilities.
The company released updates for vulnerabilities in Aria Operations for Networks – including CVE-2023-20887 – on June 6.
Those set of vulnerabilities, ranged between critical to high severity, allowed hackers to remotely run codes and steal system data, were offered security updates, The Cyber Express reported.
VMware and the popularity bane
As always, popularity has made VMware a prime target of threat actor.
The exploitation of this particular VMware critical command injection vulnerability is likely to be just an addition to a long list, which includes the infamous VMware Horizon servers containing the Log4j vulnerability.
VMware’s technologies are widely adopted by businesses of all sizes, ranging from small enterprises to large multinational corporations.
Their solutions help organizations enhance efficiency, scalability, and agility while reducing costs and simplifying IT operations.
Organizations across the world faced the threat of ransomware attack, when threat actors started tapping a two-year-old computer vulnerability in the popular VMware ESXi hypervisors, which are utilized to monitor virtual machines.
The updates should alert the users of VMware’s key products, which include:
VMware vSphere: A flagship virtualization platform that allows organizations to create and manage virtual machines, enabling efficient server consolidation and resource allocation.
VMware ESXi: A bare-metal hypervisor that provides a secure and reliable virtualization layer for running virtual machines on physical servers.
VMware vCenter Server: A centralized management platform that allows administrators to control and monitor their virtual infrastructure, including provisioning and performance management.
VMware Cloud Foundation: An integrated software-defined data center (SDDC) platform that combines compute, storage, networking, and management services to deliver a complete private cloud solution.
VMware NSX: A network virtualization and security platform that enables the creation of virtual networks and provides advanced security features for virtualized environments.