PoC Exploits Released for Citrix and VMware Vulnerabilities

Oct 25, 2023NewsroomExploitation / Vulnerability

Citrix and VMware Vulnerabilities

Virtualization service provider VMware is alerting customers to the existence of a proof-of-concept (PoC) exploit for a recently patched security flaw in Aria Operations for Logs.

Tracked as CVE-2023-34051 (CVSS score: 8.1), the high severity vulnerability is related to an authentication bypass case that could lead to remote code execution.

“An unauthentic, malicious actor could inject files into the operating system of an affected appliance that could result in remote code execution,” VMware THE audience in an advisory on October 19, 2023.

James Horseman from Horizon3.ai and the Randori Attack Team is credited with discovering and reporting the bug.

Horizon3.ai has since become available a PoC for vulnerabilityprompting VMware to revise its advisory this week.

It’s worth noting that CVE-2023-34051 is a patch bypass for a set of critical flaws that VMware addressed earlier this January that could expose users to remote code execution attacks.

Cybersecurity

“This patch bypass is not very difficult for an attacker to find,” Horseman SAYS. “This attack highlights the importance of defense in depth. A defender cannot always be confident that an official patch fully mitigates a vulnerability.”

The disclosure comes as Citrix issued its own advisory, urging customers to apply fixes for CVE-2023-4966 (CVSS score: 9.4), a critical security vulnerability which affects NetScaler ADCs and NetScaler Gateways that are under active exploitation in the forest.

“We have already had reports of incidents consistent with session hijacking, and we have received credible reports of targeted attacks exploiting this vulnerability,” the company said. SAYS this week, confirms a report from Google-owned Mandiant.

Exploitation efforts are also likely to increase in the coming days due to the availability of a PoC exploit, called Citrix Bleed.

“Here we see an interesting example of a vulnerability due to an incomplete understanding of snprintf,” Assetnote researcher Dylan Pindur SAYS.

Cybersecurity

“Although snprintf is recommended as a safe version of sprintf it is still important to be careful. Buffer overflow is avoided by using snprintf but the subsequent buffer over-read is still an issue.”

Active exploitation of CVE-2023-4966 prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to input it to Known Exploited Vulnerabilities (KEV SEARCHED) catalog, which requires US federal agencies to apply the latest patches by November 8, 2023.

The latest developments also follow the release of the updates for three critical remote code execution vulnerabilities in SolarWinds Access Rights Manager (CVE-2023-35182, CVE-2023-35185and CVE-2023-35187CVSS scores: 9.8) that remote attackers can use to execute code with SYSTEM privileges.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment