CVE-2023-20889
published 2023-06-07CVE-2023-20889: Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may…
PriorityP272high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
79.12%
99.5th percentile
Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | vrealize_network_insight | 6.2.0 – 6.10.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/auth/login
url/api/pdfexport
url/saas./resttosaasservlet
commandcreateSupportBundle
otherapplication/x-thrift
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/saas./resttosaasservlet"; endswith; fast_pattern; http.content_type; bsize:20; content:"application/x-thrift"; http.request_body; content:"createSupportBundle"; content:"|7b 22|str|22 3a 22 60|"; distance:0; content:"|60|"; distance:0; reference:url,summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/; reference:cve,2023-20887; reference:cve,2023-20888; reference:cve,2023-20889; classtype:attempted-admin; sid:2046500; rev:2; metadata:affected_product VMware, attack_target Client_Endpoint, created_at 2023_06_21, cve CVE_2023_20887, deployment Perimeter, confidence High, signature_severity Major, tag CVE_2023_20887, tag CVE_2023_20888, tag CVE_2023_20889, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_27, reviewed_at 2024_10_15;)
bytes
|7b 22|str|22 3a 22 60|
- →The exploit chain targets /api/pdfexport via authenticated POST with a multipart/form-data body containing a CSS @keyframes payload for command injection leading to information disclosure.
- →The exploit first authenticates via /api/auth/login with JSON credentials and extracts a CSRF token (csrfToken) from the response body using regex pattern csrfToken":"([a-z0-9A-Z/+=]+)".
- →Successful exploitation produces an out-of-band DNS or HTTP callback (OAST); detection should monitor for both dns and http interactsh/OOB interactions originating from the target host.
- →The Snort/ET rule detects exploitation attempts by matching POST requests to /saas./resttosaasservlet with Content-Type application/x-thrift and body containing createSupportBundle and backtick-delimited command injection bytes |7b 22|str|22 3a 22 60|.
- →CVE-2023-20889 is an authenticated vulnerability; an attacker must hold valid credentials (at minimum a 'member' role) before performing the command injection for information disclosure. ↗
- →Shodan/FOFA queries can be used to identify exposed VMware Aria Operations / vRealize Network Insight instances: search for title:"VMware Aria Operations" or title:"vmware vrealize network insight".
- →The response to the /api/pdfexport exploitation request returns Content-Type: application/octet-stream with HTTP 200; monitor for this combination on the pdfexport endpoint.
- ·CVE-2023-20889 requires authentication (valid credentials) to exploit, unlike the related CVE-2023-20887 which is unauthenticated. Detection rules covering the /saas./resttosaasservlet endpoint (ET SID 2046500) primarily target CVE-2023-20887 RCE but are tagged for CVE-2023-20889 as well. ↗
- ·The Nuclei template for CVE-2023-20889 is marked 'intrusive' and requires valid username/password credentials to be supplied; it will not fire against unauthenticated targets.
- ·CVE-2023-20887 (the related unauthenticated RCE) is reportedly a patch bypass of CVE-2022-31702; defenders who patched CVE-2022-31702 should not assume they are protected against this CVE cluster. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jjr8-xqm6-pj73: Aria Operations for Networks contains an information disclosure vulnerability
ghsa_unreviewed·2023-07-06
CVE-2023-20889 [HIGH] CWE-77 GHSA-jjr8-xqm6-pj73: Aria Operations for Networks contains an information disclosure vulnerability
Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.
VMware
VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889)
vendor_vmware·2023-06-07·CVSS 9.8
CVE-2023-20887 [CRITICAL] VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889)
VMSA-2023-0012: VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889)
Aria Operations for Networks contains a command injection vulnerability. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.
CVEs: CVE-2023-20887, CVE-2023-20888, CVE-2023-20889
Affected products: VMware Aria
Suricata
ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)
suricata·2023-06-21·CVSS 9.8
CVE-2023-20887 [CRITICAL] ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)
ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/saas./resttosaasservlet"; endswith; fast_pattern; http.content_type; bsize:20; content:"application/x-thrift"; http.request_body; content:"createSupportBundle"; content:"|7b 22|str|22 3a 22 60|"; distance:0; content:"|60|"; distance:0; reference:url,summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/; reference:cve,2023-20887; reference:cve,2023-20888; reference:cve,2023-20889; classtype:attempted-admin; sid:2046500; rev:2; metadata:affected_product VMware, attack_target Client_Endpoin
Nuclei
VMware Aria Operations for Networks - Code Injection Information Disclosure Vulnerability
nuclei·CVSS 7.5
CVE-2023-20889 [HIGH] VMware Aria Operations for Networks - Code Injection Information Disclosure Vulnerability
VMware Aria Operations for Networks - Code Injection Information Disclosure Vulnerability
Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.
Template:
id: CVE-2023-20889
info:
name: VMware Aria Operations for Networks - Code Injection Information Disclosure Vulnerability
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.
impact: |
Successfu
2023-06-07
Published