VMware has recently released a security advisory regarding the vulnerability CVE-2023-20887, which is being exploited by the attackers to do command injection in the VMware Aria Operations for Networks tool, which was earlier known as vRealize Network Insights.

This vulnerability allows the attackers to do Remote Code Execution (RCE), by running arbitrary or manipulated code on the victim’s system. This could lead to unauthorized access, control and manipulation of the user’s system.

GreyNoise, which is a threat intelligence firm, has collected the data regarding this cyberattack and analyzed that this exploitation was done by two different IP addresses and the attackers were located in Netherlands.

 

Command Injection Vulnerability:

Injection vulnerabilities occur when the attackers inject malicious and untrusted data, commands or queries into the application and it is executed by the interpreter.

If this user input is not properly validated, then the attacker may exploit it by modifying the input, by which he can get an unauthorized access to the data

This leads to unauthorized access and manipulation of data. If this user input is not properly validated, then the attacker may exploit it by modifying the input, by which he can get an unauthorized access to the data.

Command injection occurs when the user inputs are directly passed to the operating system commands. This allows the attacker to execute the random operating system commands on the web server, system compromise and leakage of the data.

 

Root Cause Analysis:

The vulnerability is discovered in the VMware Aria Operations for Networks formerly known a vRealize Network Insights tool. This tool is used by the admins to do a deep analysis of the network, which helps them to optimize the network performance.

The VMware Aria Operations for Networks is found to be vulnerable to the command injection, when it accepts the user input from the Apache Thrift RPC interface.

This vulnerability allows a remote unauthenticated attacker to perform Remote Code execution (RCE), i.e., to execute arbitrary commands on the operating system of the user.

This vulnerability basically occurs because of the command injection flaw. But to perform the command injection, the attacker needs to setup a connection with the user’s system.

For this, the attacker uses a reverse shell technique to establish a connection with a compromised targeted victim’s system to an attacker’s server over a network, to send the commands to the victim’s system.

This allows the attacker to gain unauthorized access by entering into the victim’s system using root user credentials.

 

Preventive Measures:

• The VMware has recommended its users to use the latest updated version of the tool.
• Do not pass the user inputs directly to the system commands.
• Proper validation of the user input must be done before using it in shell commands.
• Use of Least Privilege Principle will restrict the access privileges and prevent the attackers from injecting their manipulated code.
• Maintain a proper log of all the executed shell commands and these logs must be monitored regularly to find any suspicious activity.
• Use a web application firewall.
• A regular security testing of the application and system must be done using automated testing tools and manual testing methods.