VMware on Tuesday issued an advisory on two vulnerabilities — one of them critical — for Aria Operations for Networks and said updates are now available for security teams looking to patch.
Aria Operations for Networks comes in both on-prem and cloud-based version and aims to help security teams build a secure network infrastructure across multiple clouds.
The first vulnerability in Aria Operations for Networks — CVE-2023-34039 — contains an authentication bypass vulnerability because of a lack of unique cryptographic key generation.
NIST reports that a malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks Command Line Interface (CLI). VMware has evaluated the severity of this issue to be in the critical severity range with a maximum 9.8 CVSS score.
The second vulnerability — CVE-2023-20890 — contains an arbitrary file write vulnerability. NIST reports that an authenticated malicious actor with administrative access to VMware Aria Operations for Networks can write files to arbitrary locations resulting in remote code execution. VMware rated the flaw as high severity with a CVSS score of 7.2.
VMware thanked Harsh Jaiswal and Rahul Maini at ProjectDiscovery Research for reporting the critical bug and Sina Kheirkhah of research group Summoning Team for reporting the high severity bug. Security teams can download the VMware update here.
Authentication bypass vulnerabilities are some of the worst there are as authentication functions as a core component of authorized access to a system, explained Andrew Barratt, vice president at Coalfire. Barratt added that a 9.8 CVSS rating shows VMware is very concerned that attackers could quickly manipulate this flaw.
“The tool formally known as ‘vRealize Network Insight’ offers extensive visibility into multi-cloud environments,” said Barratt. “The concern is that used by a malicious actor, exploiting this could lead to significant levels of access to the configuration of workloads that are managed by the product. It can also make other security vulnerabilities apparent to the intruder as one of the product features a ‘crown jewel analysis’ that helps to identify possible lateral movement opportunities based on firewall configuration etc. This isn’t just the keys to the kingdom, it could also be a blueprint to the castle.”
Cyware Director Emily Phelps said unique cryptographic key generation is fundamental to many encryption systems, so the critical VMware vulnerability introduces serious risks.
“Without the assumed unique key, users will trust in protection that falls apart, and adversaries will be quick to exploit systems that don't apply the patch,” said Phelps. “Organizations should update and patch their systems as soon as possible.”
