PoC Exploit Released for Critical VMware Aria’s SSH Auth Bypass Vulnerability

PoC Exploit Released for Critical VMware Aria’s SSH Auth Bypass Vulnerability

Proof-of-concept (PoC) exploit code has been made available for a recently disclosed and patched critical flaw impacting VMware Aria Operations for Networks (formerly vRealize Network Insight).

The flaw, tracked as CVE-2023-34039, is rated 9.8 out of a maximum of 10 for severity and has been described as a case of authentication bypass due to a lack of unique cryptographic key generation.

Summoning Team’s Sina Kheirkhah, who published the PoC following an analysis of the patch released by VMware, said the root cause can be traced back to a bash script containing a method named refresh_ssh_keys(), which is responsible for overwriting the current SSH keys for the support and ubuntu users in the authorized_keys file.

“There is SSH authentication in place; however, VMware forgot to regenerate the keys,” Kheirkhah said. “VMware’s Aria Operations for Networks had hard-coded its keys from version 6.0 to 6.10.”

The release of the PoC coincides with the virtualization technology giant issuing fixes for a high-severity SAML token signature bypass flaw (CVE-2023-20900, CVSS score: 7.5) across several Windows and Linux versions of VMware Tools.

Peter Stöckli of GitHub Security Lab has been credited with reporting the flaw, which affects the following versions –

  • VMware Tools for Windows (12.x.x, 11.x.x, 10.3.x) – Fixed in 12.3.0
  • VMware Tools for Linux (10.3.x) – Fixed in 10.3.26
  • Open-source implementation of VMware Tools for Linux or open-vm-tools (12.x.x, 11.x.x, 10.3.x) – Fixed in 12.3.0 (to be distributed by Linux vendors)

The development also comes as Fortinet FortiGuard Labs warned of continued exploitation of Adobe ColdFusion Vulnerabilities by threat actors to deploy cryptocurrency miners and hybrid bots such as Satan DDoS (aka Lucifer) and RudeMiner (aka SpreadMiner) that are capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks.


Source: https://thehackernews.com/