VMware has confirmed a recently patched critical command injection vulnerability affecting its Aria Operations for Networks tool is being exploited in the wild.
Tuesday’s confirmation came a week after a proof of concept (PoC) of an exploitation technique was published on GitHub and five days after researchers reported observing attempts to utilize the PoC code.
The exploited vulnerability is one of three high-severity vulnerabilities VMware disclosed on June 7. Tracked as CVE-2023-20887, the command injection vulnerability has a CVSS score of 9.8 and opens the door to an attacker to execute code remotely on targeted systems.
The Aria Operations for Networks monitoring tool (previously called vRealize Network Insight) is used to provide “network visibility and analytics to accelerate micro-segmentation security, minimize risk during application migration, optimize network performance and confidently manage and scale VMware NSX, VMware SD-WAN, and Kubernetes deployments,” according to the vendor.
No known exploits prior to patch release
When it announced the three patches earlier this month, VMware advised customers to apply them “in a timely manner to protect their environment” but said it was not aware of any of the vulnerabilities being exploited.
On Tuesday, however, it updated its June 7 advisory to say it had “confirmed that exploitation of CVE-2023-20887 has occurred in the wild”.
The three bugs VMware disclosed on June 7 were all discovered as part of Trend Micro’s Zero Day Initiative. CVE-2023-20888, is an authentication deserialization bug with a CVSS score of 9.1 and CVE-2023-20889, which allows for command injection attacks that can lead to information disclosure, has a score of 8.8.
CVE-2023-20888 and CVE 2023-20889 were discovered by security researcher Sina Kheirkhah of Summoning Team, while CVE 2023-20887 was reported by an anonymous researcher.
In a June 13 blog post, Kheirkhah said that during his work with the Zero Day Initiative he also discovered and reported CVE 2023-20887 but “I was outpaced by an anonymous researcher who reported it first”. His post goes on to analyze and provide a PoC for CVE-2023-20887.
“This vulnerability comprises a chain of two issues leading to Remote Code Execution (RCE) that can be exploited by unauthenticated attackers,” he wrote.
Attacks follow posting of PoC
Kheirkhah also posted the PoC code on GitHub where he explained the Aria Operations for Networks tool “was vulnerable to command injection when accepting user input through the Apache Thrift RPC (remote procedure call) interface”.
“This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed.”
Two days later, on June 15, GreyNoise research analyst Jacob Fisher published a blog referencing Kheirkhah’s PoC.
“At the time of writing we have observed attempted mass-scanning activity utilizing the Proof-Of-Concept code mentioned above in an attempt to launch a reverse shell which connects back to an attacker controlled server in order to receive further commands,” Fisher wrote.
GreyNoise set up a tag on June 13 to track IP addresses linked to attempts to exploit CVE-2023-20887.
On Tuesday, five days after Fisher’s post, VMware updated its initial advisory, confirming that exploitation of CVE-2023-20887 has occurred in the wild.
Patches and patching instructions for all versions of the Aria Operations for Networks tool at risk from the vulnerability can be found on VMware's Customer Connect website.