White hat hackers release VMware vRealize Log RCE exploit

1 month ago · 0 comments

Security researchers from the Horizon3 team will release an exploit targeting the chain of vulnerabilities online to enable remote code execution on devices with VMware vRealize Log Insight.

Now known as VMware Aria Operations for Logs, it makes it much easier for VMware administrators to analyze and manage system logs.

VMware has fixed four security vulnerabilities in this log analyzer, two of which are critical and allow hackers to execute code remotely. Both vulnerabilities are marked as critical with baseline CVSS scores of 9.8/10. They can be used by attackers in low complexity attacks that do not require authentication.

One of them (CVE-2022-31706) is a directory traversal vulnerability that can be used to inject files into the operating system. And the second one (CVE-2022-31704) is an access control vulnerability.

VMware also fixed a deserialization vulnerability (CVE-2022-31710) that could cause a system crash, as well as an information disclosure vulnerability (CVE-2022-31711) that could be used to access sensitive data.

On January 26, the Horizon3 team alerted VMware administrators that they have managed to create an exploit that combines three of the four vulnerabilities already patched by VMware to remotely execute code as root.

All vulnerabilities can be exploited in the default VMware vRealize Log Insight appliance configuration. The exploit can be used to gain initial access to corporate networks (through devices connected to the Internet) and to navigate the network with stored credentials.

A day later, Horizon3 published a blog post with more information, including a list of Indicators of Compromise (IoC) professionals can use to detect signs of usage on their networks.

With the aforementioned exploit, attackers can obtain sensitive information from logs on Log Insight hosts, including API keys and session tokens, which can help break into additional systems and compromise the environment even further.

James Horseman, researcher at Horizon3, said there are only 45 vulnerable devices on the Internet right now. It's relatively small. This number is to be expected, as VMware vRealize Log Insight is designed for internal access to organization-specific networks. Connecting from outside is usually not possible. However, it is not uncommon for cybercriminals to exploit vulnerabilities in already compromised networks to expand the aforementioned access.

In May 2022, Horizon3 released an exploit for CVE-2022-22972, a critical authentication bypass vulnerability affecting several VMware products and allowing hackers to gain administrator rights.