View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 30, 2023updated 31 Aug 2023 9:02am

Dangerous new VMware vulnerabilities discovered

The flaws in the virtualisation vendor's Aria Operations for Networks monitoring tool could cause big problems.

By Claudia Glover

Two new vulnerabilities, one of which is critical, have been discovered in VMware’s Aria Operations for Networks software. The virtualisation vendor has released patches to counter the bugs, which could allow attackers to launch attacks remotely from inside infected systems.

VMware patches security flaws in a new software update. (Photo by Tada Images/Shutterstock)

The patches will secure any systems that include the vulnerability, VMware said. Aria Operations for Networks is a network monitoring tool produced by the company that helps users build secure network infrastructure across different clouds.

Vulnerabilities in VMware Aria Operations for Networks

The more severe flaw mentioned within the advisory, tracked as CVE-2023-34039, comes with a critical 9.8 CVSS score. It is an “authentication bypass vulnerability”, caused by “a lack of unique cryptographic key generation”. The flaw could be exploited by hackers to bypass SSH authentication cryptographic keys and gain access to the Aria Operations for Networks command line interface.

The second exploit, CVE-2023-20890, allows an authenticated, unauthorised intruder with administrative access to write files to arbitrary locations. It has a high CVSS score of 7.2.

Because Aria Operations for Networks straddles different clouds, the flaws could enable hackers to access infrastructure from multiple providers if left unpatched.

Researchers Harsh Jaiswal and Rahul Maini, from enterprise security platform ProjectDiscovery, have been credited with uncovering and reporting the issue. 

VMware vulnerabilities can be damaging

VMware’s software is a common target for cybercriminals, and the same product, Aria Operations for Networks, was included in a warning released by US cybersecurity agency CISA in June after several critical vulnerabilities in the software were flagged

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The CISA release urged users and administrators to apply the necessary updates, explaining that the vulnerabilities were “evaluated to fall within the critical severity range, as a malicious actor with network access may be able to perform a command injection attack resulting in remote code execution,” similar to the current vulnerabilities.

Earlier this year VMware’s ESXi software was continuously attacked with ransomware attacks that found their mark in droves of organisations, including Florida’s Supreme Court and Italy’s cybersecurity agency. The attacks were so successful they gained the nickname ESXiArgs. The final tally of victims of the ransomware wave was more than 3,800 according to the digital extortion tracking platform RansomWhere.

Paul Lewis, CISO at security company Nominet, told Tech Monitor at the time that virtual systems can act as an entry point to online networks. “Virtual machines are generally used for elastic, high-capacity systems and services,” Lewis said. “There are opportunities to potentially use this kind of technology to proliferate quicker because it’s all software, rather than boxes in data centres.”

Read more: Hacking gangs form ‘Five Families’ crime syndicate

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU