Unpatched VMware vRealize Log Insight Appliances at Risk of Unauthorized Remote Code Execution
VMware vRealize Log Insight, now known as VMware Aria Operations for Logs, is a log analysis tool that makes it easier for VMware administrators to manage terabytes of infrastructure and application logs. A recent discovery by Horizon3's Attack Team warns of an exploit that targets a vulnerability chain that allows for remote code execution without authentication. This threat is critical in nature and poses a significant risk to VMware vRealize Log Insight users.
What is the Threat?
The Horizon3 Attack Team has discovered an exploit that chains three of the four security vulnerabilities that were recently patched by VMware. This exploit allows for remote code execution as root, giving an attacker complete control over the system. The exploit can be used to gain initial access to organizations' networks through Internet-exposed appliances and for lateral movement with stored credentials.
Why is it Noteworthy?
All vulnerabilities are exploitable in the default configuration of VMware vRealize Log Insight appliances, making it easy for attackers to compromise systems. The researchers have warned that although the vulnerability is easy to exploit, it requires the attacker to have some infrastructure setup to serve malicious payloads. Additionally, since this product is unlikely to be exposed to the internet, the attacker likely already has established a foothold elsewhere on the network.
What is the Exposure or Risk?
The exploitation of this vulnerability can result in sensitive information being obtained from logs on Log Insight hosts, including API keys and session tokens that can be used to breach additional systems and further compromise the environment. Attackers can execute code remotely as root, giving them complete control over the system.
What are the Recommendations?
Enterprotect recommends that VMware vRealize Log Insight users immediately patch their systems to address the vulnerabilities. Additionally, organizations should monitor their networks for any indicators of compromise (IOCs) provided by Horizon3's Attack Team to detect signs of exploitation. Regular security audits and vulnerability assessments should also be conducted to identify and address potential threats in a timely manner.
References
Horizon3's Attack Team (2022) VMware vRealize Log Insight unauth RCE exploit. https://horizon3.attack/2022/12/vmware-vrealize-log-insight-unauth-rce-exploit/
VMware (2022) VMware vRealize Log Insight unauth RCE exploit (Horizon3). https://www.vmware.com/security/advisories/VMSA-2022-0012.html