cbcvebase.
CVE-2023-34051
published 2023-10-20

CVE-2023-34051: VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
44.67%
98.6th percentile
VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.

Affected

7 ranges
VendorProductVersion rangeFixed in
vmwarearia_operations_for_logs
vmwarearia_operations_for_logs
vmwarearia_operations_for_logs
vmwarearia_operations_for_logs
vmwarearia_operations_for_logs
vmwarearia_operations_for_logs
vmwarearia_operations_for_logs

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation abuses IP address spoofing and Thrift RPC endpoints to achieve arbitrary file write on VMware Aria Operations for Logs
  • Default exploit payload writes a cron job to establish a reverse shell; monitor for unexpected cron job creation on VMware Aria Operations for Logs appliances
  • Attacker must spoof the IP address of a master or worker node to exploit the vulnerability; monitor for unexpected traffic from internal node IPs toward the appliance
  • Exploitation requires attacker to have compromised a host within the targeted environment and have permissions to add an extra interface or static IP address; look for unauthorized interface/IP additions on internal hosts
  • CVE-2023-34051 is a bypass for the previously chained VMSA-2023-0001 exploit (CVE-2022-31706 directory traversal + CVE-2022-31704 broken access control); monitor for file injection into the OS of VMware Aria Operations for Logs appliances
  • Public PoC exploit and IOC list released by Horizon3 Attack Team; defenders should consult Horizon3's published indicators of compromise for detection of exploitation attempts
  • ·CVE-2023-34051 affects VMware Aria Operations for Logs (formerly vRealize Log Insight) and VMware Cloud Foundation; patch per VMSA-2023-0021
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.