CVE-2023-20888
published 2023-06-07CVE-2023-20888: Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for…
PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
82.28%
99.6th percentile
Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | vrealize_network_insight | 6.2.0 – 6.10.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/saas./resttosaasservlet
otherContent-Type: application/x-thrift
commandcreateSupportBundle
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/saas./resttosaasservlet"; endswith; fast_pattern; http.content_type; bsize:20; content:"application/x-thrift"; http.request_body; content:"createSupportBundle"; content:"|7b 22|str|22 3a 22 60|"; distance:0; content:"|60|"; distance:0; reference:url,summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/; reference:cve,2023-20887; reference:cve,2023-20888; reference:cve,2023-20889; classtype:attempted-admin; sid:2046500; rev:2; metadata:affected_product VMware, attack_target Client_Endpoint, created_at 2023_06_21, cve CVE_2023_20887, deployment Perimeter, confidence High, signature_severity Major, tag CVE_2023_20887, tag CVE_2023_20888, tag CVE_2023_20889, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_27, reviewed_at 2024_10_15;)
bytes
|7b 22|str|22 3a 22 60|
- →Monitor for POST requests to /api/events/push-notifications with a Java deserialization gadget payload in the request body (endOffset field), following a successful login to /api/auth/login with 'member' role credentials.
- →Detect POST requests to /saas./resttosaasservlet with Content-Type: application/x-thrift and body containing 'createSupportBundle' and backtick-wrapped command injection sequences (byte pattern |7b 22|str|22 3a 22 60|).
- →Use Shodan/FOFA queries to identify exposed VMware Aria Operations / vRealize Network Insight instances as potential targets: title:"VMware Aria Operations" or http.title:"vmware vrealize network insight".
- →A successful exploit attempt against CVE-2023-20888 will return HTTP 500 from the /api/events/push-notifications endpoint while triggering an out-of-band DNS interaction (OAST), indicating deserialization execution.
- →Extract the CSRF token from the login response body (csrfToken field) and include it as X-Vrni-Csrf-Token header in subsequent exploit requests — its absence or null value in the login step is a distinguishing characteristic of the attack flow.
- ·CVE-2023-20888 requires authenticated access with a valid 'member' role — exploitation is not unauthenticated, unlike the related CVE-2023-20887 command injection. ↗
- ·The Snort/ET rule (sid:2046500) is primarily written for CVE-2023-20887 (command injection via /saas./resttosaasservlet) but is tagged for CVE-2023-20888 and CVE-2023-20889 as well — analysts should not rely solely on this rule for CVE-2023-20888 deserialization detection.
- ·At the time of the Tenable blog publication (June 14, 2023), no public PoC was available specifically for CVE-2023-20888; the available PoC covered CVE-2023-20887. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pv9w-3hhv-xhxr: Aria Operations for Networks contains an authenticated deserialization vulnerability
ghsa_unreviewed·2023-07-06
CVE-2023-20888 [HIGH] CWE-502 GHSA-pv9w-3hhv-xhxr: Aria Operations for Networks contains an authenticated deserialization vulnerability
Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.
VMware
VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889)
vendor_vmware·2023-06-07·CVSS 9.8
CVE-2023-20887 [CRITICAL] VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889)
VMSA-2023-0012: VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889)
Aria Operations for Networks contains a command injection vulnerability. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.
CVEs: CVE-2023-20887, CVE-2023-20888, CVE-2023-20889
Affected products: VMware Aria
Suricata
ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)
suricata·2023-06-21·CVSS 9.8
CVE-2023-20887 [CRITICAL] ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)
ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/saas./resttosaasservlet"; endswith; fast_pattern; http.content_type; bsize:20; content:"application/x-thrift"; http.request_body; content:"createSupportBundle"; content:"|7b 22|str|22 3a 22 60|"; distance:0; content:"|60|"; distance:0; reference:url,summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/; reference:cve,2023-20887; reference:cve,2023-20888; reference:cve,2023-20889; classtype:attempted-admin; sid:2046500; rev:2; metadata:affected_product VMware, attack_target Client_Endpoin
Nuclei
VMware Aria Operations for Networks - Remote Code Execution
nuclei·CVSS 8.8
CVE-2023-20888 [HIGH] VMware Aria Operations for Networks - Remote Code Execution
VMware Aria Operations for Networks - Remote Code Execution
Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.
Template:
id: CVE-2023-20888
info:
name: VMware Aria Operations for Networks - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.
2023-06-07
Published