Dig out details on CVE-2023-20877 – VMware fixed this matter already. (18th May 2023)

Preface: If you have set “Read& Execute“ permission to everyone on parent folder, and not disable inheritance permission on the subfolder, in theory, subfolder permission should inherit the parent folder permission.

Background: VMware Aria Operations is a unified, AI-powered self-driving IT operations management platform for private, hybrid & multi-cloud environments.
You can execute scripts from the local OS using Orchestrator. To do that, Orchestrator needs access (x) to the folder where the script is located and the Orchestrator user needs to be able to read and execute (rx) it. You also need to allow Orchestrator to execute local files.
The access for Orchestrator is regulated by the entries in the js-io-rights[.]conf file.
Please note that the script needs to be in a file location that Orchestrator can access and that Orchestrator will run as user vco with the group vco.
Orchestrator has full access preconfigured for the /var/run/vco directory. The operator means that Orchestrator has the right to access the directory, for example, to list the content or to execute a file.

Vulnerability details: VMware Aria Operations contains a privilege escalation vulnerability. An authenticated malicious user with ReadOnly privileges can perform code execution leading to privilege escalation.

Official announcement: Check out the details on the link – https://www.vmware.com/security/advisories/VMSA-2023-0009.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.