Critical flaw in VMware Aria Operations for Networks sees mass exploitation attempts

Researchers warn that a vulnerability patched this month in VMware Aria Operations for Networks, formerly known as vRealize Network Insight, is now seeing exploitation en masse. The flaw allows for remote code execution through command injection and is rated with critical severity.

“New data from Akamai shows the scale of active scanning for sites vulnerable to CVE-2023-20887 is much greater than originally reported,” researchers from Akamai told CSO via email. “There have been 695,072 total attacks thus far by 508 unique IP addresses. Akamai has also observed more than 27,000 of its customers' sites being scanned.”

Not the only VMware Aria Operations flaw

VMware released patches for the CVE-2023-20887 vulnerability on June 7, along with fixes for two other flaws in Aria Operations for Networks, one of which is also critical and can lead to remote code execution. While CVE-2023-20887 is a command injection flaw, the second vulnerability, tracked as CVE-2023-20888, is a deserialization issue. In programming languages, serialization is the process of transforming data into a byte stream for transmission to another application and deserialization is the reverse of that process. Because deserialization routines involve the parsing and interpretation of user-controlled data, they have been the source of many vulnerabilities.

Attackers can exploit both CVE-2023-20887 and CVE-2023-20888 if they have network access to the vulnerable application, but the latter also requires the attacker to have "member" role credentials to perform the attack, which makes it less practical to expose.

The third vulnerability, CVE-2023-20889, is a command injection vulnerability that can lead to sensitive information disclosure and is rated 8.8 (High) on the CVSS severity scale.

VMware advises customers to deploy the patches available for their respective version as soon as possible. The company has updated its advisory on June 13 to warn that exploit code for CVE-2023-20887 was released and again on June 20 to warn that active exploitation has occurred in the wild. According to Akamai and telemetry from attack monitoring service GreyNoise, since then the number of attacks have increased.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-20887 to its catalog of Actively Exploited Vulnerabilities along with the iOS vulnerabilities exploited in Operation Triangulation and a command injection flaw in network-attached storage devices from Zyxel. An authentication bypass flaw in VMware Tools (CVE-2023-20867) was also added to the catalog after being exploited as a zero-day by a Chinese cyberespionage actor to execute commands inside guest virtual machines from a compromised host.

VMware patches multiple vCenter flaws

Last week, VMware also released fixes for five vulnerabilities in its vCenter Server product that allows administrators to manage virtual infrastructure: CVE-2023-20892, CVE-2023-20893, CVE-2023-20894, CVE-2023-20895, and CVE-2023-20896. The first four flaws can lead to arbitrary code execution, memory corruption and authentication bypass and are rated with 8.1 (High) severity on the CVSS scale. Exploitation of the last flaw can result in a denial-of-service condition and is rated with a 5.9 severity score.

Even though there are no reports that these vulnerabilities have been exploited in the wild yet, attackers have been targeting flaws in VMware products. VMware users should deploy the available patches as soon as possible.