Specifically, Targeted VMware RCE Vulnerabilities

 

As of today, VMware's vRealize Log Insight platform is vulnerable to three security vulnerabilities, that have been exposed by publicly available exploit code. This has enabled cybercriminals to weaponize these vulnerabilities in a variety of ways. Several critical unauthenticated remote code execution (RCE) bugs have been found. 

In the vRealize Log Insight platform, VMware claims that the platform is moving forward under the name Aria Operations, which provides intelligent log management for infrastructures and applications "in any environment," VMware states. In addition to offering IT departments visibility across physical, virtual, and cloud environments, dashboards and analytics are also able to be extended by third parties. This is done through the use of third-party extensions. 

This platform is typically incorporated into an appliance and can gain access to sensitive areas of an organization's IT infrastructure across a wide range of devices. 

Once an attacker has gained access to the Log Insight host, he could exploit some interesting features depending on the type of application he integrates with. This is according to Horizon.ai researcher James Horseman, who examined the publicly available exploit code. Often, the ingested logs may include sensitive information from other services. This includes session tokens, API keys, and personally identifiable information, all of which can be gathered during an attack. Having acquired keys and sessions on one system, one could pivot to another. This would enable one to further compromise the system by obtaining the key and session from the other system. 

As a result, according to Dustin Childs, chief executive officer of Trend Micro's Zero Day Initiative (ZDI), the organization responsible for disclosing the vulnerabilities, organizations need to be aware of the risks associated, particularly since these bugs and their accessibility are low barriers to exploitation. 

This type of centralized log management tool can be used in an enterprise to do centralized log management. However, using this tool for this type of centralized log control poses a substantial risk for the enterprise. This is because VMware recommends that the patch be tested and deployed as quickly as possible after it has been received by you. 

VMware vRealize Log Insight Bugs: An In-Depth Look 

According to the original VMware advisory, both critical issues carry severity scores of 9.8 out of 10. As a result, malicious actors may be able to inject files into an impacted appliance's operating system. This could result in remote code execution if an unauthenticated, malicious actor can perform such a task. 

A first-case vulnerability (CVE-2022-3172) allows an attacker to traverse a directory, which is the most serious vulnerability; a second-case vulnerability (CVE-2022-31704) allows an attacker to exploit some issues with access control. 

As for the third flaw, it is a denial of service vulnerability that is less likely to trigger a denial of service due to its risk of being exploited by an unauthenticated malicious actor (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to remotely trigger a denial of service. 

Creating a Bug Chain to Facilitate a full Takeover of a System

It was revealed by researchers at Horizon.ai that the three exploit issues could have been chained together after they identified the code in the wild. This led VMware to update its advisory today as a result. 

As Horseman wrote, it is apparent that this particular vulnerability chain [combined] can be exploited very easily. However, he added that it requires some kind of infrastructure setup to serve malicious payloads to the attacker. There is an issue with this vulnerability that allows remote code execution as root, which means an attacker can take full control of a computer by exploiting this vulnerability. 

However, he did point out that the product is intended for use in an internal network. There were 45 cases out there in which the appliances were discovered to be publicly exposed on the internet based on Shodan data. Despite that, it should be noted that the chain can be used both internally and externally. 

"It's very likely that the attacker already has a foothold somewhere else on the network by the time they target this product since this product is not likely to be exposed to the Internet," he noted. To determine if there has been any damage caused by an attacker, additional investigation is necessary.

The virtualization giant released a cache containing the three vulnerabilities last week as part of a larger cache that contained one other weakness. A medium-severity vulnerability that has the potential to enable data harvesting without authentication (CVE-2022-31711, CVSS 5.3) is another weakness. Currently, there is no public exploit code for the latter, but that could change shortly, especially since cybercriminals are becoming increasingly interested in VMware's offerings. 

Likely, other issues could also be exploited in a variety of ways in the future. To prove that the vulnerabilities exist, ZDI's children claim that they have proof-of-concept code available. The researchers did not think it would be a surprise if others were able to come up with an exploit quickly. 

What are the Best Practices for Protecting an Enterprise? 

Admins should apply VMware's patches to their organizations as soon as possible to ensure that their organizations are protected, or use another workaround recommended by VMware. A recent release by Horizon.ai has also enabled organizations to track the progress of any attacks by publishing indicators of compromise (IoCs). 

The key to ensuring that your log data is protected is to make sure that you are using either vRealize or Aria Operations for centralized log management, Childs advises. Aside from patching, which should be the first step, there are other things to consider. These include whether it is connected to the Internet and whether there is an IP restriction on who can access the platform. Furthermore, it reminds us that every tool or product within an organization is a potential target for an attacker to gain a foothold.