Three security vulnerabilities affecting VMware's vRealize Log Insight platform now have public exploit code circulating, offering a map for cybercriminals to follow to weaponize them. These include two critical unauthenticated remote code execution (RCE) bugs.
The vRealize Log Insight platform (which is transitioning its name to Aria Operations) provides intelligent log management "for infrastructure and applications in any environment," according to VMware, offering IT departments access to dashboards and analytics that have visibility across physical, virtual, and cloud environments, including third-party extensibility. Usually loaded onto an appliance, the platform can have highly privileged access to the most sensitive areas of an organization's IT footprint.
"Gaining access to the Log Insight host provides some interesting possibilities to an attacker, depending on the type of applications that are integrated with it," said Horizon.ai researcher James Horseman, who did a deep dive into the public exploit code this week. "Often, logs ingested may contain sensitive data from other services and may allow an attack to gather session tokens, API keys, and personally identifiable information. Those keys and sessions may allow the attacker to pivot to other systems and further compromise the environment."
Organizations should take note of the risk, especially since the barrier to exploitation for the bugs — aka, the access complexity — is low, says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), which reported the vulnerabilities.
"If you are doing centralized log management with this tool, it represents a significant risk to your enterprise," he tells Dark Reading. "We recommend testing and deploying the patch from VMware as soon as possible."
Inside the VMware vRealize Log Insight Bugs
The two critical issues carry severity scores of 9.8 out of 10 on the CVSS scale and could allow an "unauthenticated, malicious actor to inject files into the operating system of an impacted appliance which can result in remote code execution," according to the original VMware advisory.
One (CVE-2022-31706) is a directory traversal vulnerability; the other (CVE-2022-31704) is a broken access control vulnerability.
The third flaw is a high-severity deserialization vulnerability (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to "remotely trigger the deserialization of untrusted data, which could result in a denial of service."
Creating a Bug Chain for Complete Takeover
Horizon.ai researchers, after identifying the exploit code in the wild, discovered that the three issues could be chained together, prompting VMware to update its advisory today.
"This [combined] vulnerability [chain] is easy to exploit; however, it requires the attacker to have some infrastructure setup to serve malicious payloads," Horseman wrote. "This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system."
That said, he offered a silver lining: The product is intended for use in an internal network; he noted that Shodan data turned up 45 instances of the appliances being publicly exposed on the Internet.
That does not, however, mean that the chain can’t be used from within.
"Since this product is unlikely to be exposed to the Internet, the attacker likely has already established a foothold somewhere else on the network," he noted. "If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”
The three bugs were first disclosed last week by the virtualization giant as part of a cache that also included one other, a medium-severity information-disclosure bug (CVE-2022-31711, CVSS 5.3) that could allow data harvesting without authentication. The latter doesn't yet have public exploit code, though that could quickly change, particularly given how popular of a target VMware offerings are for cybercriminals.
There could also soon be multiple ways to exploit the other issues, too. "We have proof-of-concept code available to demonstrate the vulnerabilities," ZDI's Childs says. "We would not be surprised if others figured out an exploit in short order."
How to Protect the Enterprise
To protect their organizations, admins are urged to apply VMware's patches, or apply a published workaround as soon as possible. Horizon.ai has also published indicators of compromise (IoCs) to help organizations track any attacks.
Also, "if you are using vRealize or Aria Operations for centralized log management, you need to check what type of exposure that system has," Childs advises. "Is it connected to the Internet? Are there IP restrictions for who can access the platform? These are additional items to consider beyond patching, which should be your first step. It's also a reminder that every tool or product in an enterprise represents a potential target for attackers to gain a foothold."