A new vulnerability with VMware has been patched, critical VMware bug CVE-2023-34063. This one is a missing access control in all versions of Aria Automation (formerly known as VMware vRealize Automation) earlier than 8.16. Be aware that this infrastructure automation product may be included in VMware Cloud Foundation.
The bug has a CVS Score of 9.9 out of 10, and VMware warns that successful exploitation can allow unauthorized access to remote organizations and workflows. Luckily this flaw is relatively new news and it has a fix, so upgrade to VMware Aria Automation 8.16, and then apply the patch. They note: “The only supported upgrade path after applying the patch is to version 8.16. VMware strongly recommends this version. If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching.”
VMware says there are no reports of exploitation “as of now.” It is safe to assume that would-be attackers are already scanning for vulnerable installations to take advantage of. If you’re reading this and realize you may be vulnerable (and you’ve been vulnerable for some time since this article’s publication) it’s recommended to apply the aforementioned patches and then perform a threat hunt for any persistence mechanisms that attackers may have established since gaining initial access.
For more information, please see VMware’s official response To CVE-2023-34063, including patching directions: https://kb.vmware.com/s/article/96098
