VMware Aria vulnerable to critical SSH authentication bypass flaw

VMware Aria vulnerable to critical SSH authentication bypass flaw

VMware Aria Operations for Networks (formerly vRealize Network Insight) is vulnerable to a critical severity authentication bypass flaw that could allow remote attackers to bypass SSH authentication and access private endpoints.

VMware Aria is a suite for managing and monitoring virtualized environments and hybrid clouds, enabling IT automation, log management, analytics generation, network visibility, security and capacity planning, and full-scope operations management.

Yesterday, the vendor published a security advisory warning of a flaw that impacts all Aria 6.x branch versions.

The flaw, discovered by analysts at ProjectDiscovery Research, is tracked as CVE-2023-34039 and has received a CVSS v3 scope of 9.8, rating it “critical.”

“Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation,” warns VMware’s advisory regarding the flaw.

“A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.”

The exploitation of CVE-2023-34039 could lead to data exfiltration or manipulation through the product’s command line interface. Depending on the configuration, this access can lead to network disruption, configuration modification, malware installation, and lateral movement.

The vendor has not provided any workarounds or mitigation recommendations, so the only way to remediate the critical flaw is to upgrade to version 6.11 or apply the KB94152 patch on earlier releases.


You can find the right security update package and installation instructions for the specific version you’re using from this webpage.

A second, high-severity (CVSS v3: 7.2) flaw addressed by the same patch is CVE-2023-20890. This arbitrary file write problem may allow an attacker with administrative access to the target to perform remote code execution.

Due to this software being used in large organizations holding valuable assets, hackers are quick to exploit critical severity flaws impacting these products.

In June 2023, VMware warned its clients about the active exploitation of CVE-2023-20887, a remote code execution vulnerability impacting Aria Operations for Networks.

The mass-scan and exploitation efforts started a week after the vendor made a security update that addressed the problem available and just two days after a working PoC (proof of concept) exploit was published.

That said, any delay in applying the KB94152 patch or upgrading to Aria version 6.11 would put your network at significant risk of hacker attacks.


Exploit released for critical VMware SSH auth bypass vulnerability

Proof-of-concept exploit code has been released for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool (formerly known as vRealize Network Insight).

The flaw (tracked as CVE-2023-34039) was found by security analysts at ProjectDiscovery Research and patched by VMware on Wednesday with the release of version 6.11.

Successful exploitation enables remote attackers to bypass SSH authentication on unpatched appliances and access the tool’s command line interface in low-complexity attacks that don’t require user interaction because of what the company describes as “a lack of unique cryptographic key generation.”

​To mitigate the flaw, VMware “highly recommends” applying security patches for Aria Operations for Networks versions 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10 available on this support document.

Today, VMware confirmed that CVE-2023-34039 exploit code has been published online, two days after disclosing the critical security bug.

The proof-of-concept (PoC) exploit targets all Aria Operations for Networks versions from 6.0 to 6.10, and it was developed and released by Summoning Team vulnerability researcher Sina Kheirkhah.

Kheirkhah said that the root cause of the issue are hardcoded SSH keys left after VMware forgot to regenerate SSH authorized keys.

“Each version of VMware’s Aria Operations for Networks has a unique SSH key. To create a fully functional exploit, I had to collect all the keys from different versions of this product,” Kheirkhah said.

CVE-2023-34039 PoC exploit

CVE-2023-34039 PoC exploit (Sina Kheirkhah)
VMware also patched an arbitrary file write vulnerability this week (CVE-2023-20890), which allows attackers to gain remote code execution after obtaining admin access to the targeted appliance (the CVE-2023-34039 PoC could let them get root permissions following successful attacks).

In July, VMware warned customers that exploit code was released online for a critical RCE flaw (CVE-2023-20864) in the VMware Aria Operations for Logs analysis tool, patched in April.

One month earlier, the company issued another alert regarding the active exploitation of another Network Insight critical bug (CVE-2023-20887) that can lead to remote command execution attacks.

CISA ordered U.S. federal agencies to patch their systems against CVE-2023-20887 by July 13th after adding it to its list of known exploited vulnerabilities.

In light of this, admins are strongly recommended to update their Aria Operations for Networks appliances to the latest version as soon as possible as a preemptive measure against potential incoming attacks.

While the number of VMware vRealize instances exposed online is relatively low, it aligns with the intended use of these appliances on internal networks.

Source: BleepingComputer