Horizon3’s
Attack
Team
made
the
headlines
again
announcing
the
releasse
of
a
PoC
exploit
code
for
remote
code
execution
in
VMware
vRealize
Log.
Researchers
from
the
Horizon3’s
Attack
Team
announced
the
release
of
PoC
exploit
code
for
remote
code
execution
in
VMware
vRealize
Log.
The
PoC
exploit
code
will
trigger
a
series
of
flaws
in
VMware
vRealize
Log
to
achieve
remote
code
execution
on
vulnerable
installs.
VMware
Aria
Operations
for
Logs
(formerly
vRealize
Log
Insight)
is a
log
collection
and
analytics
virtual
appliance
that
enables
administrators
to
collect,
view,
manage
and
analyze
syslog
data.
Log
Insight
provides
real-time
monitoring
of
application
logs,
network
traces,
configuration
files,
messages
and
performance
data.
The
availability
of
an
exploit
like
the
one
announced
by
the
Horizon3’s
Attack
Team
is
a
bad
news
for
organizations,
a
threat
actor
can
develop
its
own
version
to
gain
initial
access
to
targets’
networks
and
perform
a
broad
range
of
malicious
activities.
“This
vulnerability
is
easy
to
exploit
however,
it
requires
the
attacker
to
have
some
infrastructure
setup
to
serve
malicious
payloads.
Additionally,
since
this
product
is
unlikely
to
be
exposed
to
the
internet,
the
attacker
likely
has
already
established
a
foothold
somewhere
else
on
the
network.”
reads
a
post
published
by
Horizon3’s
Attack
Team.
“This
vulnerability
allows
for
remote
code
execution
as
root,
essentially
giving
an
attacker
complete
control
over
the
system.”
This
week
VMware
addressed
multiple
vulnerabilities,
tracked
as
CVE-2022-31706,
CVE-2022-31704,
CVE-2022-31710,
and
CVE-2022-31711,
in
its
vRealize
Log
Insight
appliance.
The
most
severe
flaws
impacting
the
product
are
a
Directory
Traversal
Vulnerability
tracked
as
CVE-2022-31706
(CVSS
score
9.8),
and
a
broken
access
control
vulnerability
tracked
as
CVE-2022-31704
(CVSS
score
9.8).
An
unauthenticated,
attacker
can exploit
one
of
the
two
flaws
to
inject
files
into
the
operating
system
of
an
impacted
appliance
which
can
result
in
remote
code
execution.
“An
unauthenticated,
malicious
actor can inject
files
into
the
operating
system
of
an
impacted
appliance
which
can
result
in
remote
code
execution.”
reads
the advisory published
by
the
virtualization
giant.
The
other
flaws
fixed
by
VMware
are:
-
CVE-2022-31710
–
Deserialization
Vulnerability
(CVSS
score 7.5)
that
can
be
exploited
by
a
remote
attacker
to
trigger the
deserialization
of
untrusted
data which
could
result
in
a
denial
of
service. -
CVE-2022-31711
–
Information
Disclosure
Vulnerability
(CVSS
score 7.5)
which
can
be
exploited
by
a
remote
attacker
to
collect
sensitive
session
and
application
information
without
authentication.
The
post
published
by
the
Horizon3’s
Attack
Team
researchers
also
includes
a
list
of
indicators
of
compromise
(IOCs)
that
can
be
used
to
detect
exploitation
attempts
for
the
above
issues.
“Gaining
access
to
the
Log
Insight
host
provides
some
interesting
possibilities
to
an
attacker
depending
on
the
type
of
applications
that
are
integrated
with
it.
Often
logs
ingested
may
contain
sensitive
data
from
other
services
and
may
allow
an
attack
to
gather
session
tokens,
API
keys,
and
PII.”
continues
the
post.
“Those
keys
and
sessions
may
allow
the
attacker
to
pivot
to
other
systems
and
further
compromise
the
environment.”
The
experts
used
the
Shodan
search
engine
and
discovered
only
45
VMware
vRealize
Log
Insight
appliances
that
are
exposed
online.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
VMware
vRealize
Log)
Share
On
About Author
