The Attack Team at Horizon3 will publish an exploit next week that takes advantage of a series of vulnerabilities to allow remote code execution on unpatched VMware vRealize Log Insight devices. vRealize Log Insight, currently referred to as VMware Aria Operations for Logs, makes it simpler for VMware administrators to analyze and manage large amounts of data from infrastructure and application logs. This log analysis tool had four security holes that were fixed by VMware on Tuesday, of which two were critical and enabled remote code execution by attackers without authentication.
Both have CVSS base ratings of 9.8/10, are classified as critical severity, and can be used by threat actors in unauthenticated low-complexity attacks. One of these (CVE-2022-31706) is a directory traversal flaw that can be used to insert files into the operating system of vulnerable appliances, while the other (CVE-2022-31704) is an access control vulnerability that can similarly be leveraged to launch RCE attacks by injecting malicious files. Additionally, VMware fixed a deserialization flaw (CVE-2022-31710) that might result in denial of service states and a bug (CVE-2022-31711) that allowed unauthorized access to sensitive session and application data.
VMware administrators were alerted by Horizon3’s Attack Team on Thursday that they had developed an attack that could remotely execute code as root by combining three of the four vulnerabilities that VMware addressed this week. In the VMware vRealize Log Insight appliances’ default setup, every vulnerability is exploitable. Through Internet-exposed appliances, the attack can be utilized to acquire initial access to a company’s networks and to migrate laterally using credentials collected on the victim host. The Horizon3 security researchers have released a blog post on their website with more details, including a collection of indicators of compromise (IOCs) that network defenders can use to look for evidence of exploitation.