The Attack Team at Horizon3 will publish an exploit next week that takes advantage of a series of vulnerabilities to allow remote code execution on unpatched VMware vRealize Log Insight devices. vRealize Log Insight, currently referred to as VMware Aria Operations for Logs, makes it simpler for VMware administrators to analyze and manage large amounts of data from infrastructure and application logs. This log analysis tool had four security holes that were fixed by VMware on Tuesday, of which two were critical and enabled remote code execution by attackers without authentication.
Both have CVSS base ratings of 9.8/10, are classified as critical severity, and can be used by threat actors in unauthenticated low-complexity attacks. One of these (CVE-2022-31706) is a directory traversal flaw that can be used to insert files into the operating system of vulnerable appliances, while the other (CVE-2022-31704) is an access control vulnerability that can similarly be leveraged to launch RCE attacks by injecting malicious files. Additionally, VMware fixed a deserialization flaw (CVE-2022-31710) that might result in denial of service states and a bug (CVE-2022-31711) that allowed unauthorized access to sensitive session and application data.
VMware administrators were alerted by Horizon3’s Attack Team on Thursday that they had developed an attack that could remotely execute code as root by combining three of the four vulnerabilities that VMware addressed this week. In the VMware vRealize Log Insight appliances’ default setup, every vulnerability is exploitable. Through Internet-exposed appliances, the attack can be utilized to acquire initial access to a company’s networks and to migrate laterally using credentials collected on the victim host. The Horizon3 security researchers have released a blog post on their website with more details, including a collection of indicators of compromise (IOCs) that network defenders can use to look for evidence of exploitation.
Analyst Notes
The VMware patch for vRealize is available now, and system administrators should update the software as soon as possible. Ensuring that vRealize is not exposed to the internet is also an important factor to consider. Below are the version details for the software patch:
• VMware vRealize Log Insight
◦ Fixed version: 8.10.2
• VMware Cloud Foundation (VMware vRealize Log Insight)
◦ Fixed Version: KB90668
IOCs for potential exploitation of this vulnerability can be found here: https://www.horizon3.ai/vmware-vrealize-cve-2022-31706-iocs/
https://www.bleepingcomputer.com/news/security/researchers-to-release-vmware-vrealize-log-rce-exploit-patch-now/
