Recently, the cybersecurity community has become aware of a highly critical vulnerability in VMware's Aria Operations for Networks (previously vRealize Network Insight). This flaw, identified as CVE-2023-34039, has a severity rating of a worrying 9.8 out of 10. The flaw allows abuse of an authentication bypass created by an absence of exclusive cryptographic key generation.
To put it in simpler terms, a nefarious actor who gains network access to Aria Operations for Networks can outmaneuver SSH authentication and gain access to the system. This information was initially surfaced by VMware itself.
Following an in-depth analysis of the patch that VMware released, Sina Kheirkhah from Summoning Team published a proof-of-concept (PoC) exploit code for this flaw. Kheirkhah traced the root of the flaw back to a bash script, specifically, a method named refresh_ssh_keys(), which would replace the existing SSH keys for support and ubuntu users in the authorized_keys file.
While VMware had SSH authentication processes in place, it didn't regenerate those keys. This resulted in the SSH keys for Aria Operations for Networks remaining hardcoded from version 6.0 to 6.10.
The latest fixes introduced by VMware also deal with CVE-2023-20890, a vulnerability that allows an adversary with administrative access to arbitrarily write files and execute code remotely. This means a malicious actor could get admin access to a device by exploiting the PoC, and then run arbitrary code by exploiting CVE-2023-20890.
In a coinciding development, VMware has issued fixes for a high-severity SAML token signature bypass flaw (CVE-2023-20900, CVSS score: 7.5) across various Windows and Linux versions of VMware Tools. An adversary positioned in the middle of the network could take advantage of this flaw to bypass SAML token signature verification and perform VMware Tools Guest Operations.
These issues spotlight the importance of continually updating and vigilantly monitoring your networking tools, to protect your data and defend your infrastructure.
Elsewhere, cybersecurity firm Fortinet FortiGuard Labs has warned about an ongoing exploitation of vulnerabilities in Adobe ColdFusion by cyber adversaries. These malicious actors deploy cryptocurrency miners and hybrid bots such as Satan DDoS (also known as Lucifer), and RudeMiner (aka SpreadMiner), to execute cryptojacking and distributed denial-of-service (DDoS) attacks.
Among the other threats is BillGates (also identified as Setag), a notorious backdoor known for hijacking systems, stealing sensitive digital information, and initiating DDoS attacks.
At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.