Virtualization services provider VMware has alerted customers to the existence of a proof-of-concept (PoC) exploit for a recently patched security flaw in Aria Operations for Logs.
Tracked as CVE-2023-34051 (CVSS score: 8.1), the high-severity vulnerability relates to a case of authentication bypass that could lead to remote code execution.
"An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution," VMware noted in an advisory on October 19, 2023.
James Horseman from Horizon3.ai and the Randori Attack Team have been credited with discovering and reporting the flaw.
Horizon3.ai has since made available a PoC for the vulnerability, prompting VMware to revise its advisory this week.
It's worth noting that CVE-2023-34051 is a patch bypass for a set of critical flaws that were addressed by VMware earlier this January that could expose users to remote code execution attacks.
"This patch bypass would not be very difficult for an attacker to find," Horseman said. "This attack highlights the importance of defense in depth. A defender can't always trust that an official patch fully mitigates a vulnerability."
The disclosure comes as Citrix released an advisory of its own, urging customers to apply fixes for CVE-2023-4966 (CVSS score: 9.4), a critical security vulnerability affecting NetScaler ADC and NetScaler Gateway that has come under active exploitation in the wild.
"We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability," the company said this week, corroborating a report from Google-owned Mandiant.
The exploitation efforts are also likely to ramp up in the coming days given the availability of a PoC exploit, dubbed Citrix Bleed.
"Here we saw an interesting example of a vulnerability caused by not fully understanding snprintf," Assetnote researcher Dylan Pindur said.
"Even though snprintf is recommended as the secure version of sprintf it is still important to be careful. A buffer overflow was avoided by using snprintf but the subsequent buffer over-read was still an issue."
The active exploitation of CVE-2023-4966 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies in the U.S. to apply the latest patches by November 8, 2023.
The latest developments also follow the release of updates for three critical remote code execution vulnerabilities in SolarWinds Access Rights Manager (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187, CVSS scores: 8.8) that remote attackers could use to run code with SYSTEM privileges.
Update
Google-owned Mandiant said it's tracking four different uncategorized (UNC) groups involved in exploiting CVE-2023-4966 to target multiple verticals, including legal and professional services, technology, and government organizations, in the Americas, EMEA, and APJ.
The threat intelligence firm also said that the vulnerability is being abused to take over NetScaler sessions by leveraging the susceptible Citrix NetScaler endpoint to obtain a session cookie via a specially crafted HTTP GET request.
"This cookie is issued post-authentication, which can include multi-factor authentication checks," Mandiant researchers noted. "An attacker with access to a valid cookie can establish an authenticated session to the NetScaler appliance without knowledge of the username, password, or access to a multi-factor authentication token or device."
It further warned that the exploitation leaves behind limited forensic evidence, making these attacks particularly challenging to detect. Post-exploitation activity comprises network reconnaissance of the victim environment, credential harvesting, and lateral movement via RDP.
