Cloud computing and virtualization company VMware disclosed a trio of high-severity vulnerabilities affecting their network monitoring tool, Aria Operations for Networks.
According to the company, one bug (CVE 2023-20887) is a command injection vulnerability with a CVSS severity score of 9.8 that allows an attacker to remotely execute code. The second, an authentication deserialization bug (CVE 2023-20888), comes with a severity score of 9.1 and also allows for remote code execution. The third (CVE 2023-20889), rated at 8.8, allows for command injection attacks that can lead to information disclosure.
All three attack vectors require existing network access to Aria Operations for Networks to exploit.
According to VMware, the tool is used to provide “network visibility and analytics to accelerate micro-segmentation security, minimize risk during application migration, optimize network performance and confidently manage and scale VMware NSX, VMware SD-WAN, and Kubernetes deployments.”
Further technical details around all three vulnerabilities are scarce. While CVE numbers have been assigned to each bug, they contain little information.
A customer connect page for VMware indicates versions 6.2, 6.3, 6.4, .6.51, 6.6, 6.7, 6.8, 6.9 and 6.10 of the tool are vulnerable to attack. Patches exist for all three vulnerabilities, and VMWare has stated there are currently no other workarounds or remediating actions available.
In a statement, a VMware spokesperson told SC Media they have no evidence that any of the bugs have been used by malicious hackers.
“VMware is not aware of any exploits in the wild at this time for CVE-2023-20887, CVE-2023-20888, or CVE-2023-20889, and the security advisory we released this morning provides the patches that customers can apply to resolve the vulnerabilities," the spokesperson said. "The security of our customers is a top priority, and we encourage them to apply the patches in a timely manner to protect their environment.”
Two of the bugs were discovered by security researcher Sina Kheirkhah of Summoning Team, while the other was reported by an anonymous researcher. All three were discovered as part of Trend Micro’s Zero Day Initiative.
SC Media has reached out to Trend Micro for further information.