Horizon3 security researchers have released proof-of-concept (PoC) code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances.
VMware patched four security vulnerabilities in its vRealize log analysis tool last week, two being critical and allowing remote attackers to execute code on compromised devices.
Both are tagged as critical severity with CVSS base scores of 9.8/10 and can be exploited as part of low-complexity attacks that don’t require user interaction.
The first (CVE-2022-31706) is a directory traversal bug, and the second (CVE-2022-31704) is a broken access control flaw. They can be abused to inject maliciously crafted files into the operating system of impacted appliances.
VMware also fixed a deserialization vulnerability (CVE-2022-31710) which triggers denial of service states, and an information disclosure bug (CVE-2022-31711) that attackers can use to gain access to sensitive session and application info.
Horizon3 published a blog post on Friday containing additional information on how three of them could be chained by threat attackers to execute code remotely as root on compromised VMware vRealize appliances.
The researchers also released a list of indicators of compromise (IOCs) that network defenders could use to detect exploitation within their networks after warning one day earlier that they’re going to release that targets this bug chain.
Earlier today, Horizon3 published the PoC exploit and explained that the RCE exploit “abuses the various Thrift RPC endpoints to achieve an arbitrary file write.”
”This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payloads,” the researchers said.
“Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network. This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system.”
While there are only a few dozen instances publicly exposed on the internet, according to Shodan data, this is to be expected given that VMware vRealize Log Insight appliances are designed to be accessed from inside an organization’s network.
However, it’s not uncommon for attackers to exploit vulnerabilities in already compromised networks for lateral movement, making vulnerable VMware appliances valuable internal targets.
Although there are no public reports of attacks leveraging this exploit chain and no attempts to exploit it in the wild, resourceful and motivated threat actors will likely move quickly to adopt Horizon3’s RCE exploit or create their own custom versions.
Last year, Horizon3 researchers also released an exploit for CVE-2022-22972, a critical authentication bypass security flaw affecting multiple VMware products and allowing a malicious actor to gain admin privileges on unpatched instances.