PRP: Vmware VRealize network insight RCE CVE 2023-20887

[secureness]

I want to write a Tsunami plugin to Cover this dangerous CVE if it is possible.
Ref: https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/

[maoning]

Hi @secureness, based on the article you linked this vuln is in scope for Tsunami. Do you know if there's an easy way to spin up this service locally, so that I can test out the plugin during the code review?

[secureness]

Hi @maoning
I'll setup an instance and comment here about how much it is easy to setup this application and if it was possible how to setup this application as fast as possible.

[secureness]

Hi @maoning
I already have the vulnerable version and its easy to download it but I'm trying to find a way that setting up the environment get easy for you as we need a vCenter instance. it seems that google cloud and aws can give a vCenter instance to us and then we need only upload the vulnerable ova file which contains vulnerable VRealize network. I already have trial licenses for 60 days that can give them to you to test the plugin, sorry for delay i had problem with my Google cloud in these days

[maoning]

Hi @secureness,

Thank you for following up on the details of testing the vulnerable vCenter instance. I think we are good to move on the development & review phase. Please share the detailed instructions of how to set up everything in your merge request.

Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.

Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.

Thanks!

[secureness]

Hi @tooryx and @maoning
I found two mature tutorials for creating a home lab ESXi in the VMware workstation. So there should be a one-time setup which can take time for both of us, but if we set up this and keep this VMware workstation, we can use it for other CVEs too. ( for other VMware ESXi-based products).

please let me know, I want to work on this before the start of 2024 working days.

[tooryx]

Hi @secureness,

I managed to get an ESXi running with qemu. If you are performing the installation on a Workstation installation, please document carefully all steps required to install the vulnerable appliance so that we can reproduce it on our side (in case the OVF conversion fails).

~tooryx

[secureness]

@tooryx Thank you! It would be great if you could share a resource about running an ESXI with qemu. I'd like to look at this solution too.

[tooryx]

There is not really an existing resource (or I did not find it). Once I get everything working (I still have a few issues with networking), I will post a quick how-to here.

[secureness]

Hi @tooryx

I managed to build a nested vCenter home lab with VMware Workstation 17.
I'm sorry if it took a long time to set this up, I hope this helps me implement other CVEs as fast as possible.

[tooryx]

Hi @secureness,

Sorry I finalized installing VMWare ESXi on qemu and have a small guide. I will publish it at some point.
The issue is that I tried to have it run with one of the appliance that was provided as OVA in one of the issue but did not manage.

I will try to import VRealize as well when I have some time so that we can proceed.

~tooryx