| A vulnerability has been discovered VMware Aria Operations for Networks which could allow for remote code execution. VMware Aria Operations for Networks is a network monitoring tool that collects and analyzes metrics, APIs, configurations, metadata, integrations, telemetry netflow, sFlow, and IPFIX flow traffic, which traverses the infrastructure. Successful exploitation of this vulnerability could allow for remote code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Threat Intelligence Greynoise reports that proof-of-concept exploit code is publicly available for CVE-2023-20887 and that they have observed widespread exploitation of the vulnerability in the wild. Systems Affected VMware Aria Operations for Networks Versions 6.2 VMware Aria Operations for Networks Versions 6.3 VMware Aria Operations for Networks Versions 6.4 VMware Aria Operations for Networks Versions 6.5.1 VMware Aria Operations for Networks Versions 6.6 VMware Aria Operations for Networks Versions 6.7 VMware Aria Operations for Networks Versions 6.8 VMware Aria Operations for Networks Versions 6.9 VMware Aria Operations for Networks Versions 6.10 Risk Government: – Large and medium government entities: High – Small government entities: Medium Businesses: – Large and medium business entities: High Small business entities: Medium Home Users: Low Technical Summary A vulnerability has been discovered VMware Aria Operations for Networks which could allow for remote code execution. Recommendations Apply appropriate updates provided by VMware to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. Use intrusion detection signatures to block traffic at network boundaries. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. References VMware: https://www.vmware.com/security/advisories/VMSA-2023-0012.html https://kb.vmware.com/s/article/92684 Greynoise: https://www.greynoise.io/blog/observed-in-the-wild-new-tag-for-cve-2023-20887-vmware-aria-operations-for-networks CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20887 |