October 24, 2023 at 10:56AM
VMware has alerted customers to the availability of proof-of-concept exploit code for an authentication bypass flaw in vRealize Log Insight (now VMware Aria Operations for Logs). Tracked as CVE-2023-34051, the vulnerability allows unauthenticated attackers to remotely execute code with root permissions. Researchers have released a technical analysis, a proof-of-concept exploit, and a list of indicators of compromise. The flaw also serves as a bypass for a chain of critical vulnerabilities that VMware patched in January, enabling remote code execution. In June, VMware warned of another critical vulnerability being exploited.
During the meeting, it was discussed that VMware has issued a warning to customers regarding a proof-of-concept exploit code for an authentication bypass flaw in vRealize Log Insight, now known as VMware Aria Operations for Logs. The exploit code for CVE-2023-34051 has been confirmed to be published by VMware. This vulnerability allows unauthenticated attackers to execute code remotely with root permissions under specific conditions.
Horizon3 security researchers, who discovered the bug, provided additional information on how CVE-2023-34051 can be used to achieve remote code execution as root on unpatched VMware appliances. They also released a proof-of-concept exploit and a list of indicators of compromise that network defenders can use to detect exploitation attempts.
Furthermore, it was mentioned that this vulnerability is also a bypass for a previously patched exploit chain of critical flaws by VMware in January, which allows attackers to gain remote code execution. These vulnerabilities, collectively tracked as VMSA-2023-0001, include a directory traversal bug (CVE-2022-31706), a broken access control flaw (CVE-2022-31704), and an information disclosure bug (CVE-2022-31711).
It was noted that the exploitation of these vulnerabilities might require an attacker to have pre-established infrastructure and a foothold on the network, as the affected product is unlikely to be exposed to the internet. Nevertheless, VMware appliances running unpatched Aria Operations for Logs software can become valuable internal targets for threat actors seeking lateral movement within compromised networks.
Additionally, in June, VMware also alerted customers about another critical remote code execution vulnerability (CVE-2023-20887) in VMware Aria Operations for Networks, which was being actively exploited.