VMware warns of exploit available for critical vRealize RCE bug

VMware warned customers today that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps admins manage terabytes worth of app and infrastructure logs in large-scale environments.

The flaw (CVE-2023-20864) is a deserialization weakness patched in April, and it allows unauthenticated attackers to gain remote execution on unpatched appliances.

Successful exploitation enables threat actors to run arbitrary code as root following low-complexity attacks that don't require user interaction.

"VMware has confirmed that exploit code for CVE-2023-20864 has been published," the company noted in an update to the initial security advisory.

"CVE-2023-20864 is a critical issue and should be patched immediately as per the instructions in the advisory."

In April, VMware also issued security updates to address a less severe command injection vulnerability (CVE-2023-20865) that would let remote attackers with administrative privileges execute arbitrary commands as root on vulnerable appliances.

Both flaws have been fixed with the release of VMware Aria Operations for Logs 8.12. Fortunately, there is currently no evidence to suggest exploitation in attacks.

VMware Aria Operations flaws under attack

Recently, VMware issued another alert about a now-patched critical bug (CVE-2023-20887) in VMware Aria Operations for Networks (formerly vRealize Network Insight), allowing remote command execution as the root user and being actively exploited in attacks.

CISA also added the flaw to its list of known exploited vulnerabilities and ordered U.S. federal agencies to apply security updates by July 13th.

In light of this, admins are strongly advised to promptly apply CVE-2023-20864 patches as a precaution against potentially incoming attacks.

Although the number of online-exposed VMware vRealize instances is relatively low, it aligns with the intended design of these appliances, which primarily focus on internal network access within organizations.

Nonetheless, it's important to note that attackers often take advantage of vulnerabilities present in devices within compromised networks.

Therefore, even properly configured VMware appliances that remain vulnerable can become tempting targets within the internal infrastructure of targeted organizations.