VMware warns admins of public exploit for vRealize RCE flaw

VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs).

"Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," the company said in an update to the original advisory.

Tracked as CVE-2023-34051, it allows unauthenticated attackers to execute code remotely with root permissions if certain conditions are met.

Successful exploitation hinges on the attacker compromising a host within the targeted environment and possessing permissions to add an extra interface or static IP address, according to Horizon3 security researchers who discovered the bug.

Horizon3 published a technical root cause analysis for this security flaw on Friday with additional information on how CVE-2023-34051 can be used to gain remote code execution as root on unpatched VMware appliances.

The security researchers also released a PoC exploit and a list of indicators of compromise (IOCs) that network defenders could use to detect exploitation attempts within their environments.

"This POC abuses IP address spoofing and various Thrift RPC endpoints to achieve an arbitrary file write," the Horizon3 Attack Team said.

"The default configuration of this vulnerability writes a cron job to create a reverse shell. Be sure to change the payload file to suit your environment.

"For this attack to work, an attacker must have the same IP address as a master /worker node."

​Bypass for a RCE exploit chain

This vulnerability is also a bypass for an exploit chain of critical flaws patched by VMware in January, enabling attackers to gain remote code execution.

The first (CVE-2022-31706) is a directory traversal bug, the second (CVE-2022-31704) is a broken access control flaw, while the third, an information disclosure bug (CVE-2022-31711), allows attackers to gain access to sensitive session and application info,

Attackers can chain these vulnerabilities (collectively tracked as VMSA-2023-0001 by VMware) to inject maliciously crafted files into the operating system of VMware appliances running unpatched Aria Operations for Logs software.

When Horizon3 security researchers released a VMSA-2023-0001 PoC exploit one week after the company pushed security updates, they explained that their RCE exploit "abuses the various Thrift RPC endpoints to achieve an arbitrary file write."

"This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payloads," they said.

"Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network.

However, threat actors frequently exploit vulnerabilities within previously compromised networks for lateral movement, making vulnerable VMware appliances valuable internal targets.

In June, VMware warned customers about another critical remote code execution vulnerability in VMware Aria Operations for Networks (tracked as CVE-2023-20887) being exploited in attacks.