VMware warns to patch now against exploitable bugs

VMware is warning that high-severity bugs first disclosed last week now have proof-of-concept (PoC) exploit code available, and need to be patched.

The company’s October 19 advisory for CVE-2023-34051 (an authentication bypass bug) and CVE-2023-34052 (a deserialisation vulnerability) has been updated to reflect the existence of the exploit code.

The two bugs affect its Aria Operations for Logs (formerly vRealize Logs) software.

According to a technical analysis by Horizon3, the latest bugs arose because of an incomplete fix for the issues disclosed earlier this year, in this advisory.

VMware closed a bug in its Thrift services, which Horizon3 explained was meant to make the other vulnerabilities unreachable.

“Since the patch only blocks access to Thrift services by IP and did not fix the other CVEs in VMSA-2023-0001, all an attacker needs to do is spoof their IP address and use the previous attack,” Horizon3 said.

“For this attack to work we need: At least two instances of VMware vRealize Log Insight in a master / worker configuration; [and] An attacker machine that uses the same source IP address as the worker node (if attacking the master).”

The researchers noted that while the attack was straightforward, "it relies on the attacker having compromised an existing host in the environment and having the sufficient permissions to add an additional static IP to an existing interface or add an additional interface.”

Horizon3’s PoC code is on GitHub.