VMware Aria Operations for Network was discovered with an Authentication Bypass vulnerability previously, which had a critical severity. VMware has released patches for fixing this vulnerability. However, a Proof-of-concept and the patch file provided by VMware have been briefed.
CVE-2023-34039 was the CVE ID assigned to this vulnerability. According to VMware, the vulnerability exists due to the lack of unique cryptographic key generation that leads to an authentication bypass. After analyzing, it was discovered that this was not an authentication bypass vulnerability. Instead, this is a hardcoded SSH key issue.
Proof Of Concept –CVE-2023-34039
As per reports shared to Cyber Security News, researchers analyzed the patch files released by VMware as part of the patch. There were multiple patch files, and one of them was a bash script.
The bash script consisted of a function called “refresh_ssh_keys” which is used for overwriting the current SSH keys used by support and Ubuntu users in the VMware instance. The SSH keys were identical for both users, who were a part of the sudoers group with no limitations.
VMware Aria Operations for Network’s implementation contains two machines, Platform and Collector, which can be exploited due to this vulnerability.
In addition to this, VMware Aria Operations did not implement this refresh_ssh_keys function from version 6.0 to 6.10, giving threat actors a wide vector of attack space. All these versions have unique SSH keys collected by the researchers, and an exploit PoC has been released.
As per the security advisory released by VMware, Users of VMware Aria Operations for Networks are recommended to upgrade to the latest version, 6.11, which has been confirmed to be unaffected by this vulnerability.