Attacker Value

Very High

(1 user assessed)

Exploitability

High

(1 user assessed)

User Interaction

CVE-2023-34039

Disclosure Date: August 29, 2023 •

CVE-2023-34039 CVSS v3 Base Score: 9.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/linux/ssh/vmware_vrni_known_privkey

Description

Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.

Add Assessment

cbeek-r7 (181)

October 16, 2023 6:53am UTC (1 year ago)

Ratings

Attacker Value

Very High

Exploitability

High

Common in enterprise Easy to weaponize Unauthenticated Vulnerable in default configuration

Technical Analysis

The transition of VMWare Aria Operations for Networks (vRealize Network Insight) from version 6.0 to 6.10 failed to generate new SSH keys for the support and ubuntu users. Consequently, this oversight enabled a malicious actor with SSH access to attain root shell access to the product.

Every iteration of VMware’s Aria Operations for Networks possesses a distinct SSH key. Crafting a comprehensive exploit necessitated the assembly of these keys from various product versions. It’s worth noting that the most recent release, 6.11, remains immune to this problem as VMware had rectified the issue before its launch.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

vmware

Products

aria operations for networks

Metasploit Modules

exploit/linux/ssh/vmware_vrni_known_privkey (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb)

References

Canonical

CVE-2023-34039 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34039)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

https://github.com/sinsinology/CVE-2023-34039

CVE-2023-34039 (https://github.com/Cyb3rEnthusiast/CVE-2023-34039) (Added by AKB Worker)

Miscellaneous

https://www.vmware.com/security/advisories/VMSA-2023-0018.html

http://packetstormsecurity.com/files/174452/VMWare-Aria-Operations-For-Networks-Remote-Code-Execution.html

https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/

http://packetstormsecurity.com/files/175320/VMWare-Aria-Operations-For-Networks-SSH-Private-Key-Exposure.html

Rapid7

Very High

CVE-2023-34039

Very High

High

None

None

Network

CVE-2023-34039

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Very High

CVE-2023-34039

Very High

High

None

None

Network

CVE-2023-34039

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification