VMware reports public exploit of vRealize RCE vulnerability
Take action: If your VMware Aria application is exposed to the internet, lock it down so it's accessible only from trusted networks. Then, patch ASAP. Don't assume that having Aria locked down is enough - hackers will abuse it as a second stage attack after compromising something smaller and simpler, like a single computer via phishing.
VMware has issued a warning to its customers, alerting them to the availability of proof-of-concept (PoC) exploit code for an authentication bypass vulnerability in vRealize Log Insight, which is now known as VMware Aria Operations for Logs.
VMware has confirmed the publication of exploit code for CVE-2023-34051, which, when successfully exploited, allows unauthenticated attackers to execute code remotely with root-level permissions, subject to specific conditions.
To exploit this flaw, an attacker must first compromise a host within the targeted environment and have the necessary permissions to add an extra interface or static IP address. Horizon3 security researchers, who discovered the vulnerability, have provided a technical analysis, PoC exploit, and indicators of compromise (IOCs)
The exploit leverages IP address spoofing and Thrift RPC endpoints to facilitate arbitrary file writes, often resulting in the creation of a reverse shell, but it requires the attacker to possess the same IP address as a master or worker node. Additionally, this vulnerability serves as a bypass for a chain of critical flaws that VMware patched in January, enabling attackers to achieve remote code execution:
Combining these vulnerabilities, tracked collectively as VMSA-2023-0001 by VMware, allows attackers to inject malicious files into unpatched VMware appliances running Aria Operations for Logs.
While this vulnerability is relatively easy to exploit, it typically requires attackers to have infrastructure set up for serving malicious payloads, and they often target previously compromised networks for lateral movement.