In brief
1. Introduction: Understanding CVE-2023-20887
2. CVE-2023-20087 - Vulnerability Analysis?
3. CVE-2023-20887 - The Command Injection how it works ?
4. How the bypass works
5. Mitigating Risk: Steps to Secure Against CVE-2023-20887
6. Threat detection on CVE-2023-20887

‍

‍

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8. The solution VMware Aria Operations enables IT operations management across private, hybrid, and multi-cloud environments with a unified, high-performance platform. 

This CVE allows an attacker to execute remote commands on the affected instances. An exploit for the vulnerability has already been released publicly and can be used by attackers to target vulnerable instances on a large scale. The instances with Version 6.0 and above are vulnerable to this CVE. VMware has already released a patch for the vulnerability and it is advised to patch your instances.

‍

‍

‍Vulnerability Analysis

One of the available procedures in VMware is “createSupportBundle”,  The vulnerability is caused by command injection in the support bundle.

‍

The Command Injection

While creating a support bundle in the VMware Aria Operations, a function named “createSupportBundle” is called. This function expects the following parameters in the request command:

• customerId
• nodeId
• requestId 
• evictionRequestIDs

Note:  In VMware, the createSupportBundle operation refers to a feature that allows users to generate a support bundle for a particular VMware product or component. A support bundle contains diagnostic information and logs that can assist VMware support personnel in troubleshooting issues and providing assistance.

‍

These parameters are parsed as shown in the source code of the class ‘createSupportBundle_args’ in the Appendix. These parameters are then parsed in the form of a struct like this and utilized by the ‘createSupportBundle’ function:

struct {
	customerId,
	nodeId,
	requestId,
	evictionRequestIDs
}

As seen in the source code of the function ‘createSupportBundle’ function in the Appendix, the ‘nodeId’ will be passed to the function ‘evictPublishedSupportBundles’ in the ‘ScriptUtils’ class. The source code of ‘evictPublishedSupportBundles’ looks as follows:

‍

‍

‍

Now, if we observe carefully, line 16 takes the ‘nodeID’ and line 21 runs it as a command on the system. Therefore, by using an escape character like (`), an attacker can execute their own commands leading to a code execution vulnerability.

‍

Therefore in order to execute commands, an attacker can make a post request with the following data:

‍

‍

‍

The key “2” is supposed to be nodeId in this malicious request (based on the struct mentioned earlier). Now in order to do this remotely, all an attacker needs to do is to make a request to the “saasresttosaasservlet” endpoint i.e. “https://vulnerable-domain.com/saas.resttosaasservlet”. 

‍

Although this command execution is relatively easy to achieve, there is a catch. The nginx configuration located at `/etc/nginx/sites-available/vnera` restricts access to the `/saasresttosaasservlet` endpoint when accessed via port 443. The rule specifically permits requests originating only from the ‘localhost’. Any successful request made to this endpoint will be proxied to port 9090, which hosts an Apache Thrift RPC Server.

‍

The Bypass

If we look at the Apache configuration file at “/etc/nginx/sites-available/vnera” which restricts access to the vulnerable endpoint from the internet we can see the following rule “rewrite ^/saas(.*)$ /$1 break;” as seen in the image below.

‍

‍

‍

This rule can now be bypassed by passing a URL with “.” such as: “https://<IP-OF-SERVER>/saas./resttosaasservlet”. This will be treated by the regex and converted to the following URL:  “https://<IP-OF-SERVER>/./resttosaasservlet”, thus bypassing the restriction in place and allowing access to the vulnerable code remotely leading to an RCE to be achieved.

‍

What is alarming here is that the proof of concept for this vulnerability has already been released on Git Hub and can be utilized by the attackers to compromise unpatched instances of VMware Aria Operations for Networks.

‍

Mitigations

Patch the vulnerable endpoints by downloading the updated version from https://kb.vmware.com/s/article/92684 

‍

Threat Detection

The following YARA rule can be used to detect an attacker trying to exploit this vulnerability on your network. The rule is based on the following logic:

1. The attacker is trying to access the vulnerable endpoint using the path: “/saas./resttosaasservlet”.
2. The attacker is using the HTTP POST method at this endpoint.
3. The post data contains the character ` in the beginning, end, or between.

‍

rule Detect_VMWare_Aria_RCE_Network
{
   meta:
       description = "Detects network traffic related to VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE"
       author = "Vikas Kundu"
       reference = "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/"


   strings:
       $httpMethod = "POST" nocase wide
       $urlPath = "/saas./resttosaasservlet" nocase wide
       $payload_with_char_at_start_or_end = "[/[^,]+/,\"createSupportBundle\", /[^,]+/, /[^,]+/, {\"1\": {\"str\": /[^,]+/}, \"2\": {\"str\": /`.*`/}, \"3\":{\"str\":/[^,]+/},\"4\":{\"lst\":[/[^,]+/,/[^,]+/,/[^,]+/,/[^,]+/]}}]" nocase wide
       $payload_with_char_in_between =      "[/[^,]+/,\"createSupportBundle\", /[^,]+/, /[^,]+/, {\"1\": {\"str\": /[^,]+/}, \"2\": {\"str\": /.*`.*/ }, \"3\":{\"str\":/[^,]+/},\"4\":{\"lst\":[/[^,]+/,/[^,]+/,/[^,]+/,/[^,]+/]}}]" nocase wide


   condition:
       $httpMethod at 0 and any of (payload_with_char_at_start_or_end, $payload_with_char_in_between) and $urlPath at 0
}

‍

References

• ^#Traffic Light Protocol - Wikipedia
• https://github.com/sinsinology/CVE-2023-20887 
• https://kb.vmware.com/s/article/92684 
• https://www.vmware.com/security/advisories/VMSA-2023-0012.html 

‍

Appendix

‍

‍

‍

‍

‍