Exploit released for critical VMware SSH auth bypass vulnerability

Security Officer Comments:
Suggested Correction(s):
Link(s):




Cyber Security Threat Summary:
Summoning Team’s Sina Kheirkhah recently published a proof-of-concept exploit code for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool. Tracked as CVE-2023-34039, the vulnerability can be exploited by remote attackers to bypass SSH authentication on unpatched appliances and access the tool’s command line interface. The flaw does not require user interaction and can be exploited in low-complexity attacks due to what the company describes as a “lack of unique cryptographic key generation.”

Security Officer Comments:
According to Kheirkhah, the patch documents released by VMware for CVE-2023-34039 included a bash script containing a method named refresh_ssh_keys(), which is responsible for overwriting the current SSH keys for the support and Ubuntu users in the authorized_keys file. Although SSH authentication was implemented, Kheirkhah noted that certain versions (6.0-6.10) of VMware’s Aria Operations for Networks, were using hardcoded SSH keys. As such, if a threat actor were to gain access to the key, they could pose as a user and gain access to VMware’s Aria Operations for Networks CLI. Although there has been no mention of active exploitation attempts exploits of CVE-2023-34039, with the release of a POC, it won’t be long before threat actors leverage the POC to target vulnerable versions of Aria Operations for Network.

Suggested Correction(s):
CVE-2023-34039 was patched by VMware last Wednesday with the release of 6.11. Users should update their appliances as soon as possible to prevent potential exploitation attempts.

Link(s):
https://www.bleepingcomputer.com/