cbcvebase.
CVE-2023-20889
published 2023-06-07

CVE-2023-20889: Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may…

PriorityP272high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
79.12%
99.5th percentile
Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.

Affected

1 ranges
VendorProductVersion rangeFixed in
vmwarevrealize_network_insight6.2.0 – 6.10.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/auth/login
url/api/pdfexport
url/saas./resttosaasservlet
commandcreateSupportBundle
otherapplication/x-thrift
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/saas./resttosaasservlet"; endswith; fast_pattern; http.content_type; bsize:20; content:"application/x-thrift"; http.request_body; content:"createSupportBundle"; content:"|7b 22|str|22 3a 22 60|"; distance:0; content:"|60|"; distance:0; reference:url,summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/; reference:cve,2023-20887; reference:cve,2023-20888; reference:cve,2023-20889; classtype:attempted-admin; sid:2046500; rev:2; metadata:affected_product VMware, attack_target Client_Endpoint, created_at 2023_06_21, cve CVE_2023_20887, deployment Perimeter, confidence High, signature_severity Major, tag CVE_2023_20887, tag CVE_2023_20888, tag CVE_2023_20889, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_27, reviewed_at 2024_10_15;)
bytes
|7b 22|str|22 3a 22 60|
  • The exploit chain targets /api/pdfexport via authenticated POST with a multipart/form-data body containing a CSS @keyframes payload for command injection leading to information disclosure.
  • The exploit first authenticates via /api/auth/login with JSON credentials and extracts a CSRF token (csrfToken) from the response body using regex pattern csrfToken":"([a-z0-9A-Z/+=]+)".
  • Successful exploitation produces an out-of-band DNS or HTTP callback (OAST); detection should monitor for both dns and http interactsh/OOB interactions originating from the target host.
  • The Snort/ET rule detects exploitation attempts by matching POST requests to /saas./resttosaasservlet with Content-Type application/x-thrift and body containing createSupportBundle and backtick-delimited command injection bytes |7b 22|str|22 3a 22 60|.
  • CVE-2023-20889 is an authenticated vulnerability; an attacker must hold valid credentials (at minimum a 'member' role) before performing the command injection for information disclosure.
  • Shodan/FOFA queries can be used to identify exposed VMware Aria Operations / vRealize Network Insight instances: search for title:"VMware Aria Operations" or title:"vmware vrealize network insight".
  • The response to the /api/pdfexport exploitation request returns Content-Type: application/octet-stream with HTTP 200; monitor for this combination on the pdfexport endpoint.
  • ·CVE-2023-20889 requires authentication (valid credentials) to exploit, unlike the related CVE-2023-20887 which is unauthenticated. Detection rules covering the /saas./resttosaasservlet endpoint (ET SID 2046500) primarily target CVE-2023-20887 RCE but are tagged for CVE-2023-20889 as well.
  • ·The Nuclei template for CVE-2023-20889 is marked 'intrusive' and requires valid username/password credentials to be supplied; it will not fire against unauthenticated targets.
  • ·CVE-2023-20887 (the related unauthenticated RCE) is reportedly a patch bypass of CVE-2022-31702; defenders who patched CVE-2022-31702 should not assume they are protected against this CVE cluster.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.