Source: Bleeping Computer
Summary
VMware is reiterating the importance of patching vulnerable versions of VMware Aria Operations for Networks (formerly vRealize Network Insight) after confirming that CVE-2023-20887 has been exploited in the wild. VMware Aria Operations for Networks is a network analytics tool that helps administrators optimize network performance or manage VMware and Kubernetes deployments.
The vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. At least one security researcher has published proof-of-concept exploit code that can establish a reverse shell to attacker-controlled infrastructure to wait for further commands. This code can easily be used by threat attackers to compromise unpatched systems.
Analysis
Field Effect has not detected any activity indicative of CVE-2023-20887 scanning or exploitation in our telemetry.
VMware’s large product suite is deployed widely throughout the world (see below) and has a history of being exploited by cybercriminals and nation-state actors alike.
Scan results for VMware software (Source: Shodan.io)
For example, it was recently reported that a Chinese state-sponsored actor known as UNC3886 exploited an authentication bypass flaw (CVE-2023-20867) in VMware Tools to deploy VirtualPita and VirtualPie backdoors on guest virtual machines from compromised ESXi hosts.
In February 2023, a two-year-old vulnerability designated CVE-2021-21974, better known as ESXiArgs, was exploited by ransomware threat actors, leading to the compromise of thousands of unpatched systems worldwide.
The compromise of known vulnerabilities, for which a patch is available, highlights the importance of maintaining a high patching cadence, especially when proof-of-concept exploit code is freely available.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as VMware. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of VMware products to ensure that they are up to date. A complete list of security patches for all vulnerable Aria Operations for Networks versions is available on VMware's Customer Connect website.
References