Multiple vulnerabilities in VMware vRealize Log Insight Could Allow for Remote Code Execution

guest · Jan 25, 2023

MS-ISAC ADVISORY NUMBER: 2023-012

DATE(S) ISSUED: 01/24/2023
OVERVIEW:
Multiple vulnerabilities have been discovered in VMware vRealize Log Insight, the most severe of which could allow for remote code execution. VMware vRealize Log Insight enables real-time logging for all components that build up the management capabilities of the SDDC. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Click to expand...

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:

VMware vRealize Log Insight prior to 8.10.2

Click to expand...

guest · Jan 31, 2023

Researchers to release VMware vRealize Log RCE exploit, patch now
By Sergiu Gatlan @serghei - January 28, 2023

Security researchers with Horizon3's Attack Team will release an exploit targeting a vulnerability chain next week for gaining remote code execution on unpatched VMware vRealize Log Insight appliances.
Click to expand...

Now known as VMware Aria Operations for Logs, vRealize Log Insight makes it easier for VMware admins to analyze and manage terabytes of infrastructure and application logs.

On Tuesday, VMware patched four security vulnerabilities in this log analysis tool, two of which are critical and allow attackers to execute code remotely without authentication.
Both are tagged as critical severity with CVSS base scores of 9.8/10 and can be exploited by threat actors in low-complexity attacks that don't require authentication.
Click to expand...

On Thursday, Horizon3's Attack Team warned VMware admins that they've been able to create an exploit that chains three of the four flaws patched by VMware this week to execute code remotely as root.

All vulnerabilities are exploitable in the default configuration of VMware vRealize Log Insight appliances. The exploit can be used to gain initial access to organizations' networks (via Internet-exposed appliances) and for lateral movement with stored credentials.
Click to expand...

One day later, the security researchers published a blog post containing additional information, including a list of indicators of compromise (IOCs) that defenders could use to detect signs of exploitation within their networks.

"This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payloads," the researchers said.

"Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network.
Click to expand...

guest · Jan 31, 2023

Exploit released for critical VMware vRealize RCE vulnerability
By Sergiu Gatlan @serghei - January 31, 2023

Horizon3 security researchers have released proof-of-concept (PoC) code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances.
Click to expand...

VMware patched four security vulnerabilities in its vRealize log analysis tool last week, two being critical and allowing remote attackers to execute code on compromised devices.

Both are tagged as critical severity with CVSS base scores of 9.8/10 and can be exploited as part of low-complexity attacks that don't require user interaction.
Click to expand...

Horizon3 published a blog post on Friday containing additional information on how three of them could be chained by threat attackers to execute code remotely as root on compromised VMware vRealize appliances.

Earlier today, Horizon3 published the PoC exploit and explained that the RCE exploit "abuses the various Thrift RPC endpoints to achieve an arbitrary file write."

"This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payloads," the researchers said.
"Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network. This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system."
Click to expand...

guest · Feb 2, 2023

VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
By Ryan Naraine @ryanaraine - February 1, 2023

The urgency to patch a trio of dangerous security flaws in a VMware virtual appliance product escalated this week after exploit code was published on the internet.
Click to expand...

VMware confirmed the publication of exploit code in an update to its VMSA-2023-0001 bulletin and called on customers using its VMware vRealize Log Insight product to implement mitigations as a matter of urgency.

The vulnerabilities, tracked as CVE-2022-31706, CVE-2022-31704 and CVE-2022-31710, are rated critical with CVSS severity scores of 9.8 out of 10.
The security defects affect users of its VMware vRealize Log Insight and could be exploited by an unauthenticated attacker to take full control of a target system.
Click to expand...

The bulletin update follows the publication of a technical deep-dive by automated penetration testing firm Horizon3.ai that included demo exploit code. The company also released IOCs (indicators of compromise) to help defenders hunt for signs of compromise.
Click to expand...

Log in or Sign up

Multiple vulnerabilities in VMware vRealize Log Insight Could Allow for Remote Code Execution

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Multiple vulnerabilities in VMware vRealize Log Insight Could Allow for Remote Code Execution

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches