Warning: Multiple vulnerabilities in VMWare Aria Operations for Networks.

Reference:
Advisory #2023-67

Version:
1.0

Affected software:
VMware Aria Operations Networks version 6.x

Type:
Remote Code Execution (RCE), information disclosure

CVE/CVSS:

• CVE-2023-20887
• CVE-2023-20888
• CVE-2023-20889

Sources

VMWare - https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Risks

All three vulnerabilities have a HIGH impact on Confidentiality, Integrity, and Availability. Authentication, and user interaction are not required to exploit this vulnerability.

Description

CVE-2023-20887:  Command Injection Vulnerability

A malicious actor with network access to VMware Aria Operations for Networks can perform a command injection attack resulting in remote code execution.

CVE-2023-20888: Authenticated Deserialization Vulnerability

A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials can perform a deserialization attack resulting in remote code execution.

CVE-2023-20889: Information Disclosure Vulnerability

A malicious actor with network access to VMware Aria Operations for Networks can perform a command injection attack resulting in information disclosure.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to visit VMWare's download page to apply the necessary patches.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-20887
https://nvd.nist.gov/vuln/detail/CVE-2023-20888
https://nvd.nist.gov/vuln/detail/CVE-2023-20889