(CTN News) – In a warning to its customers today, VMware advised that exploit code for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps administrators manage terabytes worth of app and infrastructure logs in large-scale environments, is now available.
It was patched in April, and the vulnerability (CVE-2023-20864) is a vulnerability in the deserialization mechanism that allows unauthenticated attackers to gain remote execution on unpatched appliances.
The successful exploitation of this vulnerability enables threat actors to run arbitrary code as root as a result of low-complexity attacks that do not require interactive interaction with the user.
Earlier this week, VMware reported the publication of exploit code for CVE-2023-20864 as part of an update to the initial security advisory that it issued.
It is recommended that you patch CVE-2023-20864 immediately as per the instructions in the advisory, as it is a critical issue.
Besides that, VMware issued a security update in April to address a less serious command injection vulnerability (CVE-2023-20865) that could allow remote attackers with administrative privileges to execute arbitrary commands as root on vulnerable appliances if they had administrative privileges.
The two vulnerabilities have been fixed as part of the release of VMware Aria Operations for Logs 8.12. As far as we know, no evidence has been found to suggest that attacks might have exploited these vulnerabilities.
VMware Aria Operations flaws under attack
VMware recently issued another alert regarding a critical vulnerability (CVE-2023-20887) in VMware Aria Operations for Networks (formerly vRealize Network Insight), which allows remote command execution as the root user, and has been actively exploited in attacks.
It should also be noted that the CISA added this vulnerability to its list of known exploited vulnerabilities and ordered the U.S. Federal Government to apply security updates to their systems by July 13th.
Due to the nature of this vulnerability, it is highly recommended that administrators apply patches for CVE-2023-20864 as soon as possible as a precaution against potentially incoming attacks.
The number of VMware vRealize instances that are online-exposed is relatively low, but it is aligned with the intended design of these appliances, which are primarily designed to provide access to internal networks within organizations.
Even so, it’s important to take into account the fact that attackers often target vulnerable devices within compromised networks in order to take advantage of those vulnerabilities.
Even properly configured VMware appliances, which remain vulnerable, can be used as tempting targets within the internal infrastructure of targeted organizations if they remain vulnerable.