Aria Operations for Networks updates fix two security vulnerabilities that could be used to bypass authentication and gain remote code execution.
The most severe of the flaws, CVE-2023-34039, relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation.
A malicious actor with network access to Aria operations could bypass SSH authentication to gain access to the Aria Operations for Network CLI.
The second weakness, CVE 2023-20890, is an arbitrary file write vulnerability.
It allows an attacker with administrative access to write arbitrary files to arbitrary locations and achieve remoteCodeEquality.org.
The vulnerabilities, which affect VMware Aria Opensense for Networks versions 6.2, 6.3, 66.6, 67, 68, 69, and 6.10, have been addressed in a series of patches released by VMware.