🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
A vulnerable web applications can open the door to your critical assets. Stay protected with CloudSEK BeVigil Enterprise Web App Scanner module.
Schedule a Demo
CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8. The solution VMware Aria Operations enables IT operations management across private, hybrid, and multi-cloud environments with a unified, high-performance platform.
This CVE allows an attacker to execute remote commands on the affected instances. An exploit for the vulnerability has already been released publicly and can be used by attackers to target vulnerable instances on a large scale. The instances with Version 6.0 and above are vulnerable to this CVE. VMware has already released a patch for the vulnerability and it is advised to patch your instances.
One of the available procedures in VMware is “createSupportBundle”, The vulnerability is caused by command injection in the support bundle.
While creating a support bundle in the VMware Aria Operations, a function named “createSupportBundle” is called. This function expects the following parameters in the request command:
Note: In VMware, the createSupportBundle operation refers to a feature that allows users to generate a support bundle for a particular VMware product or component. A support bundle contains diagnostic information and logs that can assist VMware support personnel in troubleshooting issues and providing assistance.
These parameters are parsed as shown in the source code of the class ‘createSupportBundle_args’ in the Appendix. These parameters are then parsed in the form of a struct like this and utilized by the ‘createSupportBundle’ function:
As seen in the source code of the function ‘createSupportBundle’ function in the Appendix, the ‘nodeId’ will be passed to the function ‘evictPublishedSupportBundles’ in the ‘ScriptUtils’ class. The source code of ‘evictPublishedSupportBundles’ looks as follows:
Now, if we observe carefully, line 16 takes the ‘nodeID’ and line 21 runs it as a command on the system. Therefore, by using an escape character like (`), an attacker can execute their own commands leading to a code execution vulnerability.
Therefore in order to execute commands, an attacker can make a post request with the following data:
The key “2” is supposed to be nodeId in this malicious request (based on the struct mentioned earlier). Now in order to do this remotely, all an attacker needs to do is to make a request to the “saasresttosaasservlet” endpoint i.e. “https://vulnerable-domain.com/saas.resttosaasservlet”.
Although this command execution is relatively easy to achieve, there is a catch. The nginx configuration located at `/etc/nginx/sites-available/vnera` restricts access to the `/saasresttosaasservlet` endpoint when accessed via port 443. The rule specifically permits requests originating only from the ‘localhost’. Any successful request made to this endpoint will be proxied to port 9090, which hosts an Apache Thrift RPC Server.
If we look at the Apache configuration file at “/etc/nginx/sites-available/vnera” which restricts access to the vulnerable endpoint from the internet we can see the following rule “rewrite ^/saas(.*)$ /$1 break;” as seen in the image below.
This rule can now be bypassed by passing a URL with “.” such as: “https://<IP-OF-SERVER>/saas./resttosaasservlet”. This will be treated by the regex and converted to the following URL: “https://<IP-OF-SERVER>/./resttosaasservlet”, thus bypassing the restriction in place and allowing access to the vulnerable code remotely leading to an RCE to be achieved.
What is alarming here is that the proof of concept for this vulnerability has already been released on Git Hub and can be utilized by the attackers to compromise unpatched instances of VMware Aria Operations for Networks.
Patch the vulnerable endpoints by downloading the updated version from https://kb.vmware.com/s/article/92684
The following YARA rule can be used to detect an attacker trying to exploit this vulnerability on your network. The rule is based on the following logic:
CloudSEK’s TRIAD team created this report based on an analysis of the increasing trend of cryptocurrency counterfeiting, in which tokens impersonate government organizations to provide some legitimacy to their “rug pull” scams. An example of this scam is covered in this report where threat actors have created a counterfeit token named “BRICS”. This token is aimed at exploiting the focus on the BRICS Summit held in Kazan, Russia, and the increased interest in investments and expansion of the BRICS government organization which comprises different countries (Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates)
Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.
This blog details how CVE-2024-23897, a Local File Inclusion (LFI) vulnerability in Jenkins, was exploited to breach Github repositories. Attackers accessed sensitive files, decrypted credentials, and used them to infiltrate private repositories. The article underscores the need for timely patching, strong authentication, and regular security audits to mitigate such threats.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
6
min read
CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.
CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8. The solution VMware Aria Operations enables IT operations management across private, hybrid, and multi-cloud environments with a unified, high-performance platform.
This CVE allows an attacker to execute remote commands on the affected instances. An exploit for the vulnerability has already been released publicly and can be used by attackers to target vulnerable instances on a large scale. The instances with Version 6.0 and above are vulnerable to this CVE. VMware has already released a patch for the vulnerability and it is advised to patch your instances.
One of the available procedures in VMware is “createSupportBundle”, The vulnerability is caused by command injection in the support bundle.
While creating a support bundle in the VMware Aria Operations, a function named “createSupportBundle” is called. This function expects the following parameters in the request command:
Note: In VMware, the createSupportBundle operation refers to a feature that allows users to generate a support bundle for a particular VMware product or component. A support bundle contains diagnostic information and logs that can assist VMware support personnel in troubleshooting issues and providing assistance.
These parameters are parsed as shown in the source code of the class ‘createSupportBundle_args’ in the Appendix. These parameters are then parsed in the form of a struct like this and utilized by the ‘createSupportBundle’ function:
As seen in the source code of the function ‘createSupportBundle’ function in the Appendix, the ‘nodeId’ will be passed to the function ‘evictPublishedSupportBundles’ in the ‘ScriptUtils’ class. The source code of ‘evictPublishedSupportBundles’ looks as follows:
Now, if we observe carefully, line 16 takes the ‘nodeID’ and line 21 runs it as a command on the system. Therefore, by using an escape character like (`), an attacker can execute their own commands leading to a code execution vulnerability.
Therefore in order to execute commands, an attacker can make a post request with the following data:
The key “2” is supposed to be nodeId in this malicious request (based on the struct mentioned earlier). Now in order to do this remotely, all an attacker needs to do is to make a request to the “saasresttosaasservlet” endpoint i.e. “https://vulnerable-domain.com/saas.resttosaasservlet”.
Although this command execution is relatively easy to achieve, there is a catch. The nginx configuration located at `/etc/nginx/sites-available/vnera` restricts access to the `/saasresttosaasservlet` endpoint when accessed via port 443. The rule specifically permits requests originating only from the ‘localhost’. Any successful request made to this endpoint will be proxied to port 9090, which hosts an Apache Thrift RPC Server.
If we look at the Apache configuration file at “/etc/nginx/sites-available/vnera” which restricts access to the vulnerable endpoint from the internet we can see the following rule “rewrite ^/saas(.*)$ /$1 break;” as seen in the image below.
This rule can now be bypassed by passing a URL with “.” such as: “https://<IP-OF-SERVER>/saas./resttosaasservlet”. This will be treated by the regex and converted to the following URL: “https://<IP-OF-SERVER>/./resttosaasservlet”, thus bypassing the restriction in place and allowing access to the vulnerable code remotely leading to an RCE to be achieved.
What is alarming here is that the proof of concept for this vulnerability has already been released on Git Hub and can be utilized by the attackers to compromise unpatched instances of VMware Aria Operations for Networks.
Patch the vulnerable endpoints by downloading the updated version from https://kb.vmware.com/s/article/92684
The following YARA rule can be used to detect an attacker trying to exploit this vulnerability on your network. The rule is based on the following logic: