VMware fixes critical flaws in Aria Operations for Networks (CVE-2023-20887)

VMware has fixed two critical (CVE-2023-20887, CVE-2023-20888) and one important vulnerability (CVE-2023-20889) in Aria Operations for Networks (formerly vRealize Network Insight), its popular enterprise network monitoring tool.

About the vulnerabilities (CVE-2023-20887, CVE-2023-20888,CVE-2023-20889)

CVE-2023-20887 is a pre-authentication command injection vulnerability that may allow a malicious actor with network access to VMware Aria Operations for Networks to perform a command injection attack and execute code remotely.

“According to a tweet by researcher Y4er, CVE-2023-20887 is reportedly a patch bypass for CVE-2022-31702, another critical command injection vulnerability in vRNI that was patched by VMware in December 2022,” Tenable’s Scott Caveza revealed.

CVE-2023-20888 is an authenticated deserialization vulnerability that may allow a malicious actor with network access to VMware Aria Operations for Networks and valid “member” role credentials to execute code through a deserialization attack.

CVE-2023-20889 is an information disclosure vulnerability that could allow a malicious actor who has network access to VMware Aria Operations for Networks to perform a command injection attack that could result in information disclosure.

The three vulnerabilties have been discovered by researcher Sina Kheirkhah of Summoning Team and reported to VMware via Trend Micro’s Zero Day Initiative (ZDI). But CVE-2023-20887 was also independently discovered and reported – obviously a bit earlier – to the ZDI by an anonymous researcher, who received credit for the RCE flaw.

Kheirkhah has released technical details and a PoC exploit for CVE-2023-20887. Currently, there is no mention or evidence of the flaw being exploited in the wild.

Remediation

Multiple versions of VMware Aria Operations for Networks, namely
Versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 of VMware Aria Operations for Networks are affected by these vulnerabilities.

Since there are no workarounds, VMware recommends updating to a fixed version.

UPDATE (June 21, 2023, 05:50 a.m. ET):

CVE-2023-20887 has been spotted being exploited in the wild.