Security researchers with Horizon3’s Attack Team will release an exploit targeting a vulnerability chain next week for gaining remote code execution on unpatched VMware vRealize Log Insight appliances.
Now known as VMware Aria Operations for Logs, vRealize Log Insight makes it easier for VMware admins to analyze and manage terabytes of infrastructure and application logs.
On Tuesday, VMware patched four security vulnerabilities in this log analysis tool, two of which are critical and allow attackers to execute code remotely without authentication.
Both are tagged as critical severity with CVSS base scores of 9.8/10 and can be exploited by threat actors in low-complexity attacks that don’t require authentication.
One of them (CVE-2022-31706) is a directory traversal vulnerability that can be abused to inject files into the operating system of impacted appliances, and the second (tracked as CVE-2022-31704) is a broken access control flaw that can also be exploited by injecting maliciously crafted files in RCE attacks.
VMware also addressed a deserialization vulnerability (CVE-2022-31710) that triggers denial of service states and an information disclosure bug (CVE-2022-31711) exploitable to access sensitive session and application info.
On Thursday, Horizon3’s Attack Team warned VMware admins that they’ve been able to create an exploit that chains three of the four flaws patched by VMware this week to execute code remotely as root.
All vulnerabilities are exploitable in the default configuration of VMware vRealize Log Insight appliances. The exploit can be used to gain initial access to organizations’ networks (via Internet-exposed appliances) and for lateral movement with stored credentials.
One day later, the security researchers published a blog post containing additional information, including a list of indicators of compromise (IOCs) that defenders could use to detect signs of exploitation within their networks.
Attackers can obtain sensitive information from logs on Log Insight hosts, including API keys and session tokens that will help breach additional systems and further compromise the environment.
”This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payloads,” the researchers said.
“Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network.
“This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system.”
As Horizon3 vulnerability researcher James Horseman further revealed, there are only 45 instances publicly exposed on the internet, according to Shodan data.
This is to be expected since VMware vRealize Log Insight appliances are designed to be accessed inside an organization’s network.
However, it is not uncommon for threat actors to abuse vulnerabilities in already breached networks to spread laterally to other devices, making these valuable internal targets.
In May 2022, Horizon3 released another exploit for CVE-2022-22972, a critical authentication bypass vulnerability affecting multiple VMware products and allowing threat actors to gain admin privileges.