VMware headquarters sign
Horizon3.ai released a proof of concept for vulnerabilities in VMware vRealize Log Insight that could launch a remote code execution. ("VMware Headquarters" by Ben Hamilton (Ben Gertzfield) is licensed under CC BY-NC-SA 2.0.)

Researchers released a proof of concept (PoC) of a string of VMware vRealize Log Insight (now known as VMware Aria Operations for Logs) vulnerabilities that they used to prove that attackers could exploit the flaws to launch remote code execution (RCE) as root.

VMware released patches and workarounds for the vRealize vulnerabilities last week after they were reported to them late last summer by Zero Day Initiative, ZDI.  

In an interview with SC Media, James Horseman, an exploit developer at Horizon3.ai and the author of Tuesday’s blog post, said the team decided to focus on the VMware log management Common Vulnerabilities and Exposures (CVEs) because of their high severity and low complexity.

Horseman said two of the four designated CVEs — CVE-2022-31706 and CVE-2022-31704 — were rated critical at 9.8 on a scale of 10 being the highest. A high CVE rating indicates low complexity, said Horseman, meaning that attackers can exploit the vulnerabilities more easily and readily take advantage of them.

CVE-2022-31706 was described by NIST as a directory traversal vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance, which can result in remote code execution. CVE-2022-31074 was described by NIST as an access control vulnerability, in which an unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance, which has the potential to result in an RCE.

Horseman said Horizon3.ai used the directory traversal and access control vulnerability, along with an information disclosure vulnerability — in which a malicious actor can remotely collect sensitive session and application information without authentication (CVE-2022-31711) — to build the exploit.

“We compared a patched version of the CVEs with an upatched version of the CVEs and determined that security teams needed to consider patching these vulnerabilities or deploy the workaround released by VMware,” Horseman said. “Companies can have some 80,000 vulnerabilities to patch so how do they know what to do first? That’s why we release these PoCs. We exploit the system and show you what to do so you can prioritize what you need to fix.”

It looks like this CVE has been rated so high because of its RCE capability, said Andrew Barratt, vice president at Coalfire. Barratt said the vulnerability essentially allows a complete take over. However, he said it’s not by design intended to be exposed to the internet. It could become a de facto lateral movement or “persistence” attack once an intruder has gained initial access via another mechanism.

“These kind of attacks sometimes fall by the wayside from vulnerability managers — who mis-prioritize because of the ‘we don’t expose this’ mindset,” said Barratt. “The reality is that attackers rarely gain access from an exploitable vulnerability, typically leveraging phishing or another credential-based attack. But taking root level access to a system, and using that as a basis for further internal attacks could be very damaging — particularly in systems that are ‘by design’ well-connected to the wider infrastructure because of the services they provide.”