Alert: PoC Exploits Released for Citrix and VMware Vulnerabilities

Virtualization services provider VMware has alerted customers to the existence of a proof-of-concept (PoC) exploit for a recently patched security flaw in Aria Operations for Logs.

Tracked as CVE-2023-34051 (CVSS score: 8.1), the high-severity vulnerability relates to a case of authentication bypass that could lead to remote code execution.

“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware noted in an advisory on October 19, 2023.

James Horseman from Horizon3.ai and the Randori Attack Team have been credited with discovering and reporting the flaw.

Horizon3.ai has since made available a PoC for the vulnerability, prompting VMware to revise its advisory this week.

It’s worth noting that CVE-2023-34051 is a patch bypass for a set of critical flaws that were addressed by VMware earlier this January that could expose users to remote code execution attacks.

“This patch bypass would not be very difficult for an attacker to find,” Horseman said. “This attack highlights the importance of defense in depth. A defender can’t always trust that an official patch fully mitigates a vulnerability.”

The disclosure comes as Citrix released an advisory of its own, urging customers to apply fixes for CVE-2023-4966 (CVSS score: 9.4), a critical security vulnerability affecting NetScaler ADC and NetScaler Gateway that has come under active exploitation in the wild.

“We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability,” the company said this week, corroborating a report from Google-owned Mandiant.

The exploitation efforts are also likely to ramp up in the coming days given the availability of a PoC exploit, dubbed Citrix Bleed.

“Here we saw an interesting example of a vulnerability caused by not fully understanding snprintf,” Assetnote researcher Dylan Pindur said.

“Even though snprintf is recommended as the secure version of sprintf it is still important to be careful. A buffer overflow was avoided by using snprintf but the subsequent buffer over-read was still an issue.”

The active exploitation of CVE-2023-4966 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies in the U.S. to apply the latest patches by November 8, 2023.

The latest developments also follow the release of updates for three critical remote code execution vulnerabilities in SolarWinds Access Rights Manager (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187, CVSS scores: 8.8) that remote attackers could use to run code with SYSTEM privileges.