Days after VMware issued patches for a critical-severity vulnerability in its network monitoring tool, the company said that exploit code for the bug has now been published.
The vulnerability (CVE-2023-34039) exists in VMware’s Aria Operations for Networks (formerly vRealize Network Insight) tool, which helps businesses monitor and analyze their networks and applications. According to VMware, the tool has an authentication bypass flaw that stems from a lack of unique cryptographic key generation.
“A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI,” according to VMware in its initial advisory on Tuesday.
On Thursday, VMware updated its advisory to confirm that exploit code had been published for the flaw, though it did not give further details. Versions 6.x of the product are impacted, and the bug has been fixed in VMware Aria Operations for Networks version 6.11.
VMware also announced two important-severity flaws this week. In its Tuesday advisory it issued patches for an arbitrary file write vulnerability (CVE-2023-20890) in Aria Operations for Networks that could allow an authenticated attacker - with existing administrative access to the network monitoring platform - to write files to arbitrary locations resulting in remote code execution.
Separately on Thursday, the company issued fixes for an important-severity SAML token signature bypass flaw (CVE-2023-20900) across several Windows and Linux versions of VMware Tools, its set of services and modules that help VMware products better manage guest operating systems.
“A malicious actor with man-in-the-middle (MITM) network positioning in the virtual machine network may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations,” according to VMware on Thursday.
VMware has previously disclosed several vulnerabilities in Aria Operations for Networks, including a critical command injection bug that made waves a few months ago when it was exploited in the wild. At the time, GreyNoise researchers said they observed attackers target the flaw to deploy reverse shells and gain arbitrary control over vulnerable servers.