VMware updated a security advisory published two weeks ago to warn customers that a now-patched critical vulnerability allowing remote code execution is being actively exploited in attacks.
“VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild,” the company said today.
This notice follows multiple warnings from cybersecurity firm GreyNoise, the first issued one week after VMware patched the security flaw on June 15 and just two days after security researcher Sina Kheirkhah shared technical details and proof-of-concept exploit code.
“We have observed attempted mass-scanning activity utilizing the Proof-Of-Concept code mentioned above in an attempt to launch a reverse shell which connects back to an attacker controlled server in order to receive further commands,” GreyNoise research analyst Jacob Fisher said.
GreyNoise CEO Andrew Morris also alerted VMware admins of this ongoing malicious activity earlier today, which likely prompted VMware to update its advisory.
GreyNoise now provides a dedicated tag to help keep track of IP addresses observed while attempting to exploit CVE-2023-20887.
The vulnerability impacts VMware Aria Operations for Networks (formerly vRealize Network Insight), a network analytics tool that helps admins optimize network performance or manage VMware and Kubernetes deployments.
Unauthenticated threat actors can exploit this command injection flaw in low-complexity attacks that don’t require user interaction.
“VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface,” Kheirkhah explained in a root cause analysis of the security bug.
“This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user.”
No workarounds are available to remove the attack vector for CVE-2023-20887, so admins must patch all VMware Aria Operations Networks 6.x on-prem installations to ensure they’re secure from ongoing attacks.
A complete list of security patches for all vulnerable Aria Operations for Networks versions is available on VMware’s Customer Connect website.
Source: https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-vrealize-flaw-exploited-in-attacks/