VMware, a prominent provider of virtualization software, has issued a caution to administrators and customers concerning the availability of a proof-of-concept (PoC) exploit code for a critical authentication bypass flaw found in vRealize Log Insight, now named VMware Aria Operations for Logs. Tracked as CVE-2023-34051, this vulnerability could be exploited by unauthenticated attackers to execute code remotely with root-level permissions, subject to specific conditions being met.
Furthermore, the flaw was discovered by Horizon3 security researchers, who have performed a technical root cause analysis of the vulnerability, demonstrating how CVE-2023-34051 can be used to achieve remote code execution as the root user on unpatched VMware appliances. The researchers have also released a PoC exploit and indicators of compromise (IOCs) to assist network defenders in identifying potential exploitation attempts within their environments.
Moreover, this vulnerability serves as a bypass for an exploit chain involving critical flaws that VMware had previously patched in January. These vulnerabilities include a directory traversal bug (CVE-2022-31706), a broken access control flaw (CVE-2022-31704), and an information disclosure bug (CVE-2022-31711).
By chaining these vulnerabilities together, attackers can inject maliciously crafted files into the operating systems of unpatched VMware appliances running Aria Operations for Logs software. The Horizon3 security researchers have noted that their remote code execution (RCE) exploit “abuses various Thrift RPC endpoints to achieve an arbitrary file write”. They also emphasized that while the vulnerability is relatively easy to exploit, it requires attackers to have certain infrastructure in place to deliver malicious payloads.
Additionally, they mentioned that the product is unlikely to be exposed to the internet, implying that attackers likely have an established foothold elsewhere on the network. Despite this, threat actors often leverage vulnerabilities within previously compromised networks to facilitate lateral movement, making vulnerable VMware appliances valuable internal targets.
