CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

6
mins read time
CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.
Vikas Kundu
Published on
June 16, 2023
Blog Image

In brief

1. Introduction: Understanding CVE-2023-20887 2. CVE-2023-20087 - Vulnerability Analysis? 3. CVE-2023-20887 - The Command Injection how it works ? 4. How the bypass works 5. Mitigating Risk: Steps to Secure Against CVE-2023-20887 6. Threat detection on CVE-2023-20887

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8. The solution VMware Aria Operations enables IT operations management across private, hybrid, and multi-cloud environments with a unified, high-performance platform. 

This CVE allows an attacker to execute remote commands on the affected instances. An exploit for the vulnerability has already been released publicly and can be used by attackers to target vulnerable instances on a large scale. The instances with Version 6.0 and above are vulnerable to this CVE. VMware has already released a patch for the vulnerability and it is advised to patch your instances.

Affected Product

CVE Type

Version

CVSSv3 base score 

VMware Aria Operations for Networks (Formerly vRealize Network Insight)

Remote Command Injection Vulnerability

6.x

9.8

Vulnerability Analysis

One of the available procedures in VMware is “createSupportBundle”,  The vulnerability is caused by command injection in the support bundle.

The Command Injection

While creating a support bundle in the VMware Aria Operations, a function named “createSupportBundle” is called. This function expects the following parameters in the request command:

  • customerId
  • nodeId
  • requestId 
  • evictionRequestIDs
Note:  In VMware, the createSupportBundle operation refers to a feature that allows users to generate a support bundle for a particular VMware product or component. A support bundle contains diagnostic information and logs that can assist VMware support personnel in troubleshooting issues and providing assistance.

These parameters are parsed as shown in the source code of the class ‘createSupportBundle_args’ in the Appendix. These parameters are then parsed in the form of a struct like this and utilized by the ‘createSupportBundle’ function:



struct {
	customerId,
	nodeId,
	requestId,
	evictionRequestIDs
}

As seen in the source code of the function ‘createSupportBundle’ function in the Appendix, the ‘nodeId’ will be passed to the function ‘evictPublishedSupportBundles’ in the ‘ScriptUtils’ class. The source code of ‘evictPublishedSupportBundles’ looks as follows:

Source Code of evictPublishedSupportBundles function

Now, if we observe carefully, line 16 takes the ‘nodeID’ and line 21 runs it as a command on the system. Therefore, by using an escape character like (`), an attacker can execute their own commands leading to a code execution vulnerability.

Therefore in order to execute commands, an attacker can make a post request with the following data:

A sample JSON object used in the post request to execute commands

The key “2” is supposed to be nodeId in this malicious request (based on the struct mentioned earlier). Now in order to do this remotely, all an attacker needs to do is to make a request to the “saasresttosaasservlet” endpoint i.e. “https://vulnerable-domain.com/saas.resttosaasservlet”. 

Although this command execution is relatively easy to achieve, there is a catch. The nginx configuration located at `/etc/nginx/sites-available/vnera` restricts access to the `/saasresttosaasservlet` endpoint when accessed via port 443. The rule specifically permits requests originating only from the ‘localhost’. Any successful request made to this endpoint will be proxied to port 9090, which hosts an Apache Thrift RPC Server.

 

The Bypass

If we look at the Apache configuration file at “/etc/nginx/sites-available/vnera” which restricts access to the vulnerable endpoint from the internet we can see the following rule “rewrite ^/saas(.*)$ /$1 break;” as seen in the image below.

Source code of the Apache config file at /etc/nginx/sites-available/vnera

This rule can now be bypassed by passing a URL with “.” such as: “https://<IP-OF-SERVER>/saas./resttosaasservlet”. This will be treated by the regex and converted to the following URL:  “https://<IP-OF-SERVER>/./resttosaasservlet”, thus bypassing the restriction in place and allowing access to the vulnerable code remotely leading to an RCE to be achieved.

What is alarming here is that the proof of concept for this vulnerability has already been released on Git Hub and can be utilized by the attackers to compromise unpatched instances of VMware Aria Operations for Networks.

Mitigations

Patch the vulnerable endpoints by downloading the updated version from https://kb.vmware.com/s/article/92684 

Threat Detection

The following YARA rule can be used to detect an attacker trying to exploit this vulnerability on your network. The rule is based on the following logic:

  1. The attacker is trying to access the vulnerable endpoint using the path: “/saas./resttosaasservlet”.
  2. The attacker is using the HTTP POST method at this endpoint.
  3. The post data contains the character ` in the beginning, end, or between.


rule Detect_VMWare_Aria_RCE_Network
{
   meta:
       description = "Detects network traffic related to VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE"
       author = "Vikas Kundu"
       reference = "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/"


   strings:
       $httpMethod = "POST" nocase wide
       $urlPath = "/saas./resttosaasservlet" nocase wide
       $payload_with_char_at_start_or_end = "[/[^,]+/,\"createSupportBundle\", /[^,]+/, /[^,]+/, {\"1\": {\"str\": /[^,]+/}, \"2\": {\"str\": /`.*`/}, \"3\":{\"str\":/[^,]+/},\"4\":{\"lst\":[/[^,]+/,/[^,]+/,/[^,]+/,/[^,]+/]}}]" nocase wide
       $payload_with_char_in_between =      "[/[^,]+/,\"createSupportBundle\", /[^,]+/, /[^,]+/, {\"1\": {\"str\": /[^,]+/}, \"2\": {\"str\": /.*`.*/ }, \"3\":{\"str\":/[^,]+/},\"4\":{\"lst\":[/[^,]+/,/[^,]+/,/[^,]+/,/[^,]+/]}}]" nocase wide


   condition:
       $httpMethod at 0 and any of (payload_with_char_at_start_or_end, $payload_with_char_in_between) and $urlPath at 0
}



References

Appendix

Source Code of createSupportBundle function

Source Code of createSupportBundle_args class

Related Posts
Blog Image
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Blog Image
July 11, 2023

Breaking into the Bandit Stealer Malware Infrastructure

CloudSEK's threat researchers discovered a new Bandit Stealer malware web panel on 06 July 2023, with at least 14 active instances.

KYC Verification Evasions Leads to Exploitation of Virtual Cameras & App Emulators

CloudSEK's Threat Intelligence Team recently uncovered a comprehensive tutorial on bypassing selfie verification in a Russian-speaking Cybercrime Forum.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.