Security researchers from the Horizon3 attack team will release an exploit next week targeting a chain of vulnerabilities to achieve remote code execution on unpatched VMware vRealize Log Insight appliances.

Now known as VMware Aria Operations for Logs, vRealize Log Insight makes it easier for VMware administrators to analyze and manage terabytes of infrastructure and application logs.

Tuesday, VMware fixed four security vulnerabilities in this log analysis tool, two of which are critical and allow attackers to execute code remotely without authentication.

Both are labeled as critical gravity with CVSS Base Scores of 9.8/10 and can be exploited by malicious actors in low complexity attacks that do not require authentication.

One of them (CVE-2022-31706) is a directory traversal vulnerability that can be exploited to inject files into the operating system of affected devices, and the second (tracked as CVE- 2022-31704) is a broken access control flaw that can also be exploited by injecting maliciously crafted files into RCE attacks.

vmware also discussed a deserialization vulnerability (CVE-2022-31710) that triggers denial of service states and an information disclosure bug (CVE-2022-31711) that can be exploited to gain access to sensitive session and application information.

VMware vRealize Log Insight unauth RCE exploit warning

​Thursday, the Horizon3 attack team warned VMware administrators were able to create an exploit that chains together three of the four flaws VMware patched this week to execute code remotely as root.

All vulnerabilities are exploitable in the default configuration of VMware vRealize Log Insight appliances. The exploit can be used to gain initial access to organizations’ networks (through internet-exposed devices) and for lateral movement with stored credentials.

A day later, security researchers published a blog post with additional information, including a list of indicators of compromise (IOCs) that defenders could use to detect signs of exploitation within their networks.

Attackers can obtain sensitive information from logs on Log Insight hosts, including API keys and session tokens that will help breach additional systems and further compromise the environment.

VMware vRealize Log Insight unauth RCE exploit
VMware vRealize Log Insight unauth RCE exploit (Horizon3)

“This vulnerability is easy to exploit, however, it requires the attacker to have an infrastructure configured to serve the malicious payloads,” the researchers said. said.

“Additionally, since this product is unlikely to be exposed to the Internet, the attacker has likely already established a foothold elsewhere on the network.

“This vulnerability allows remote code execution as root, essentially giving an attacker complete control over the system.”

As revealed by Horizon3 vulnerability researcher James Horseman, there are only 45 publicly exposed instances on the internet, according to data from Shodan.

This is expected since VMware vRealize Log Insight appliances are designed to be accessible inside an organization’s network.

However, it is not uncommon for threat actors to exploit vulnerabilities in already hacked networks to laterally spread to other devices, making them valuable internal targets.

In May 2022, Horizon3 released another exploit for CVE-2022-22972a critical authentication bypass vulnerability affecting several VMware products and allowing hackers to gain administrator privileges.


Source link