Vulnerability Intelligence
6
mins read

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Vikas Kundu
June 16, 2023
Green Alert
Last Update posted on
February 3, 2024
Keep your web applications secure from vulnerabilities.

A vulnerable web applications can open the door to your critical assets. Stay protected with CloudSEK BeVigil Enterprise Web App Scanner module.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Anirudh Batra
 In brief

1. Introduction: Understanding CVE-2023-20887
2. CVE-2023-20087 - Vulnerability Analysis?
3. CVE-2023-20887 - The Command Injection how it works ?
4. How the bypass works
5. Mitigating Risk: Steps to Secure Against CVE-2023-20887
6. Threat detection on CVE-2023-20887

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8. The solution VMware Aria Operations enables IT operations management across private, hybrid, and multi-cloud environments with a unified, high-performance platform. 

This CVE allows an attacker to execute remote commands on the affected instances. An exploit for the vulnerability has already been released publicly and can be used by attackers to target vulnerable instances on a large scale. The instances with Version 6.0 and above are vulnerable to this CVE. VMware has already released a patch for the vulnerability and it is advised to patch your instances.

Affected Product

CVE Type

Version

CVSSv3 base score 

VMware Aria Operations for Networks (Formerly vRealize Network Insight)

Remote Command Injection Vulnerability

6.x

9.8

Vulnerability Analysis

One of the available procedures in VMware is “createSupportBundle”,  The vulnerability is caused by command injection in the support bundle.

The Command Injection

While creating a support bundle in the VMware Aria Operations, a function named “createSupportBundle” is called. This function expects the following parameters in the request command:

  • customerId
  • nodeId
  • requestId 
  • evictionRequestIDs
Note:  In VMware, the createSupportBundle operation refers to a feature that allows users to generate a support bundle for a particular VMware product or component. A support bundle contains diagnostic information and logs that can assist VMware support personnel in troubleshooting issues and providing assistance.

These parameters are parsed as shown in the source code of the class ‘createSupportBundle_args’ in the Appendix. These parameters are then parsed in the form of a struct like this and utilized by the ‘createSupportBundle’ function:



struct {
	customerId,
	nodeId,
	requestId,
	evictionRequestIDs
}

As seen in the source code of the function ‘createSupportBundle’ function in the Appendix, the ‘nodeId’ will be passed to the function ‘evictPublishedSupportBundles’ in the ‘ScriptUtils’ class. The source code of ‘evictPublishedSupportBundles’ looks as follows:

Source Code of evictPublishedSupportBundles function

Now, if we observe carefully, line 16 takes the ‘nodeID’ and line 21 runs it as a command on the system. Therefore, by using an escape character like (`), an attacker can execute their own commands leading to a code execution vulnerability.

Therefore in order to execute commands, an attacker can make a post request with the following data:

A sample JSON object used in the post request to execute commands

The key “2” is supposed to be nodeId in this malicious request (based on the struct mentioned earlier). Now in order to do this remotely, all an attacker needs to do is to make a request to the “saasresttosaasservlet” endpoint i.e. “https://vulnerable-domain.com/saas.resttosaasservlet”. 

Although this command execution is relatively easy to achieve, there is a catch. The nginx configuration located at `/etc/nginx/sites-available/vnera` restricts access to the `/saasresttosaasservlet` endpoint when accessed via port 443. The rule specifically permits requests originating only from the ‘localhost’. Any successful request made to this endpoint will be proxied to port 9090, which hosts an Apache Thrift RPC Server.

 

The Bypass

If we look at the Apache configuration file at “/etc/nginx/sites-available/vnera” which restricts access to the vulnerable endpoint from the internet we can see the following rule “rewrite ^/saas(.*)$ /$1 break;” as seen in the image below.

Source code of the Apache config file at /etc/nginx/sites-available/vnera

This rule can now be bypassed by passing a URL with “.” such as: “https://<IP-OF-SERVER>/saas./resttosaasservlet”. This will be treated by the regex and converted to the following URL:  “https://<IP-OF-SERVER>/./resttosaasservlet”, thus bypassing the restriction in place and allowing access to the vulnerable code remotely leading to an RCE to be achieved.

What is alarming here is that the proof of concept for this vulnerability has already been released on Git Hub and can be utilized by the attackers to compromise unpatched instances of VMware Aria Operations for Networks.

Mitigations

Patch the vulnerable endpoints by downloading the updated version from https://kb.vmware.com/s/article/92684 

Threat Detection

The following YARA rule can be used to detect an attacker trying to exploit this vulnerability on your network. The rule is based on the following logic:

  1. The attacker is trying to access the vulnerable endpoint using the path: “/saas./resttosaasservlet”.
  2. The attacker is using the HTTP POST method at this endpoint.
  3. The post data contains the character ` in the beginning, end, or between.


rule Detect_VMWare_Aria_RCE_Network
{
   meta:
       description = "Detects network traffic related to VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE"
       author = "Vikas Kundu"
       reference = "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/"


   strings:
       $httpMethod = "POST" nocase wide
       $urlPath = "/saas./resttosaasservlet" nocase wide
       $payload_with_char_at_start_or_end = "[/[^,]+/,\"createSupportBundle\", /[^,]+/, /[^,]+/, {\"1\": {\"str\": /[^,]+/}, \"2\": {\"str\": /`.*`/}, \"3\":{\"str\":/[^,]+/},\"4\":{\"lst\":[/[^,]+/,/[^,]+/,/[^,]+/,/[^,]+/]}}]" nocase wide
       $payload_with_char_in_between =      "[/[^,]+/,\"createSupportBundle\", /[^,]+/, /[^,]+/, {\"1\": {\"str\": /[^,]+/}, \"2\": {\"str\": /.*`.*/ }, \"3\":{\"str\":/[^,]+/},\"4\":{\"lst\":[/[^,]+/,/[^,]+/,/[^,]+/,/[^,]+/]}}]" nocase wide


   condition:
       $httpMethod at 0 and any of (payload_with_char_at_start_or_end, $payload_with_char_in_between) and $urlPath at 0
}



References

Appendix

Source Code of createSupportBundle function

Source Code of createSupportBundle_args class

Author

Vikas Kundu

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Scam
October 25, 2024

The BRICS-Bait Rug Pull – How Scammers Use International Credibility to Deceive Investors

CloudSEK’s TRIAD team created this report based on an analysis of the increasing trend of cryptocurrency counterfeiting, in which tokens impersonate government organizations to provide some legitimacy to their “rug pull” scams. An example of this scam is covered in this report where threat actors have created a counterfeit token named “BRICS”. This token is aimed at exploiting the focus on the BRICS Summit held in Kazan, Russia, and the increased interest in investments and expansion of the BRICS government organization which comprises different countries (Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates)

Blog Image
Adversary Intelligence
Breach
Data leaks
Emerging Threats
Hacktivism
October 10, 2024

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Blog Image
Adversary Intelligence
July 29, 2024

Exposing the Exploitation: How CVE-2024-23897 Led to the Compromise of Github Repos via Jenkins LFI Vulnerability

This blog details how CVE-2024-23897, a Local File Inclusion (LFI) vulnerability in Jenkins, was exploited to breach Github repositories. Attackers accessed sensitive files, decrypted credentials, and used them to infiltrate private repositories. The article underscores the need for timely patching, strong authentication, and regular security audits to mitigate such threats.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Vulnerability Intelligence

6

min read

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Authors
Vikas Kundu
Co-Authors
Anirudh Batra
 In brief

1. Introduction: Understanding CVE-2023-20887
2. CVE-2023-20087 - Vulnerability Analysis?
3. CVE-2023-20887 - The Command Injection how it works ?
4. How the bypass works
5. Mitigating Risk: Steps to Secure Against CVE-2023-20887
6. Threat detection on CVE-2023-20887

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8. The solution VMware Aria Operations enables IT operations management across private, hybrid, and multi-cloud environments with a unified, high-performance platform. 

This CVE allows an attacker to execute remote commands on the affected instances. An exploit for the vulnerability has already been released publicly and can be used by attackers to target vulnerable instances on a large scale. The instances with Version 6.0 and above are vulnerable to this CVE. VMware has already released a patch for the vulnerability and it is advised to patch your instances.

Affected Product

CVE Type

Version

CVSSv3 base score 

VMware Aria Operations for Networks (Formerly vRealize Network Insight)

Remote Command Injection Vulnerability

6.x

9.8

Vulnerability Analysis

One of the available procedures in VMware is “createSupportBundle”,  The vulnerability is caused by command injection in the support bundle.

The Command Injection

While creating a support bundle in the VMware Aria Operations, a function named “createSupportBundle” is called. This function expects the following parameters in the request command:

  • customerId
  • nodeId
  • requestId 
  • evictionRequestIDs
Note:  In VMware, the createSupportBundle operation refers to a feature that allows users to generate a support bundle for a particular VMware product or component. A support bundle contains diagnostic information and logs that can assist VMware support personnel in troubleshooting issues and providing assistance.

These parameters are parsed as shown in the source code of the class ‘createSupportBundle_args’ in the Appendix. These parameters are then parsed in the form of a struct like this and utilized by the ‘createSupportBundle’ function:



struct {
	customerId,
	nodeId,
	requestId,
	evictionRequestIDs
}

As seen in the source code of the function ‘createSupportBundle’ function in the Appendix, the ‘nodeId’ will be passed to the function ‘evictPublishedSupportBundles’ in the ‘ScriptUtils’ class. The source code of ‘evictPublishedSupportBundles’ looks as follows:

Source Code of evictPublishedSupportBundles function

Now, if we observe carefully, line 16 takes the ‘nodeID’ and line 21 runs it as a command on the system. Therefore, by using an escape character like (`), an attacker can execute their own commands leading to a code execution vulnerability.

Therefore in order to execute commands, an attacker can make a post request with the following data:

A sample JSON object used in the post request to execute commands

The key “2” is supposed to be nodeId in this malicious request (based on the struct mentioned earlier). Now in order to do this remotely, all an attacker needs to do is to make a request to the “saasresttosaasservlet” endpoint i.e. “https://vulnerable-domain.com/saas.resttosaasservlet”. 

Although this command execution is relatively easy to achieve, there is a catch. The nginx configuration located at `/etc/nginx/sites-available/vnera` restricts access to the `/saasresttosaasservlet` endpoint when accessed via port 443. The rule specifically permits requests originating only from the ‘localhost’. Any successful request made to this endpoint will be proxied to port 9090, which hosts an Apache Thrift RPC Server.

 

The Bypass

If we look at the Apache configuration file at “/etc/nginx/sites-available/vnera” which restricts access to the vulnerable endpoint from the internet we can see the following rule “rewrite ^/saas(.*)$ /$1 break;” as seen in the image below.

Source code of the Apache config file at /etc/nginx/sites-available/vnera

This rule can now be bypassed by passing a URL with “.” such as: “https://<IP-OF-SERVER>/saas./resttosaasservlet”. This will be treated by the regex and converted to the following URL:  “https://<IP-OF-SERVER>/./resttosaasservlet”, thus bypassing the restriction in place and allowing access to the vulnerable code remotely leading to an RCE to be achieved.

What is alarming here is that the proof of concept for this vulnerability has already been released on Git Hub and can be utilized by the attackers to compromise unpatched instances of VMware Aria Operations for Networks.

Mitigations

Patch the vulnerable endpoints by downloading the updated version from https://kb.vmware.com/s/article/92684 

Threat Detection

The following YARA rule can be used to detect an attacker trying to exploit this vulnerability on your network. The rule is based on the following logic:

  1. The attacker is trying to access the vulnerable endpoint using the path: “/saas./resttosaasservlet”.
  2. The attacker is using the HTTP POST method at this endpoint.
  3. The post data contains the character ` in the beginning, end, or between.


rule Detect_VMWare_Aria_RCE_Network
{
   meta:
       description = "Detects network traffic related to VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE"
       author = "Vikas Kundu"
       reference = "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/"


   strings:
       $httpMethod = "POST" nocase wide
       $urlPath = "/saas./resttosaasservlet" nocase wide
       $payload_with_char_at_start_or_end = "[/[^,]+/,\"createSupportBundle\", /[^,]+/, /[^,]+/, {\"1\": {\"str\": /[^,]+/}, \"2\": {\"str\": /`.*`/}, \"3\":{\"str\":/[^,]+/},\"4\":{\"lst\":[/[^,]+/,/[^,]+/,/[^,]+/,/[^,]+/]}}]" nocase wide
       $payload_with_char_in_between =      "[/[^,]+/,\"createSupportBundle\", /[^,]+/, /[^,]+/, {\"1\": {\"str\": /[^,]+/}, \"2\": {\"str\": /.*`.*/ }, \"3\":{\"str\":/[^,]+/},\"4\":{\"lst\":[/[^,]+/,/[^,]+/,/[^,]+/,/[^,]+/]}}]" nocase wide


   condition:
       $httpMethod at 0 and any of (payload_with_char_at_start_or_end, $payload_with_char_in_between) and $urlPath at 0
}



References

Appendix

Source Code of createSupportBundle function

Source Code of createSupportBundle_args class