VMware patches critical bugs in network analytics tool
A command injection vulnerability is the most critical of the bugs in vRealize addressed by VMware
VMware has released security updates to address a set of vulnerabilities in Aria Operations for Networks which attackers could exploit to execute remote code and extract sensitive information from compromised devices.
Aria Operations for Networks is a network visibility and analytics tool designed to assist administrators in optimising network performance, as well as managing and scaling various VMware and Kubernetes deployments. The tool was formerly known as vRealize Network Insight (vRNI).
"Multiple vulnerabilities in Aria Operations for Networks were privately reported to VMware," according to VMware's security advisory.
"Patches are available to remediate these vulnerabilities in affected VMware products."
Among the three security bugs addressed by VMware, the most critical is a command injection vulnerability identified as CVE-2023-20887 (CVSS score: 9.8). This vulnerability can be exploited by unauthenticated threat actors in low-complexity attacks that do not necessitate user interaction.
VMware credited Anonymous working with Trend Micro Zero Day Initiative for responsibly disclosing and reporting this issue to the company.
VMware has also addressed a deserialisation vulnerability (CVE-2023-20888) with a CVSS score of 9.1 out of 10. This vulnerability, if left unpatched, could potentially result in remote code execution on Aria Operations appliances.
"A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialisation attack resulting in remote code execution," the company said in an advisory.
VMware extends its appreciation to Sina Kheirkhah of Summoning Team, working with Trend Micro Zero Day Initiative, for responsibly reporting this issue.
The third vulnerability, identified as CVE-2023-20889, is an information disclosure flaw that allows malicious actors to gain access to sensitive information after successfully executing a command injection attack.
The bug (CVE-2023-20889) has been assigned a CVSS score of 8.8.
These three vulnerabilities impact multiple versions of Aria Operations for Networks, including vRNI 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10.
Although there is currently no evidence indicating that these vulnerabilities have been exploited in real-world attacks, users are strongly recommended to promptly apply the necessary patches.
According to VMware, no workarounds are available to eliminate the attack vectors associated with the identified vulnerabilities.
Users can access the complete list of security patches released by VMware to address these vulnerabilities for all affected versions of Aria Operations for Networks on VMware's Customer Connect website.
The website provides comprehensive information and instructions on how to apply the patch bundles to ensure that the vulnerabilities are mitigated effectively.
Earlier this year, a large-scale ransomware campaign was initiated by unidentified attackers, with an aim to compromise numerous unpatched VMware ESXi servers by exploiting the CVE-2021-21974 vulnerability that was patched about two years ago.
Florida's Supreme Court was among the victims of the ransomware spree.
Despite affecting numerous organisations, the attack failed to generate significant ransom payments from the victims. This was due to an error by the attackers, who unintentionally neglected to encrypt certain crucial files.
The error led security experts to believe that they were likely criminal opportunists rather than state-sponsored actors.