Security researchers from security testing organization Horizon3 have discovered a new exploit for VMware vRealize Log Insight appliances. This exploit combines a number of previously found and patched vulnerabilities into a new exploit that can remotely execute code as root.
Security specialists recently discovered about four exploits for VMware vRealize Log Insight appliances, or the present-day VMware Aria Operations for Logs. These vulnerabilities, two of which were very critical, allow cybercriminals to execute code remotely without authentication.
The first critical vulnerability, CVE-2022-31706, is a so-called “directory traversal” vulnerability that can be exploited by injecting files into the OS of the affected appliances. The second critical vulnerability, is a “broken access control flaw” that can be exploited by injecting malicious files into RCE attacks.
The other two exploits found, CVE-2022-31710 and CVE-2022-31711, are an exploit that enables denial of service attacks and an exploit that seeks and provides access to information from active sessions and applications, respectively.
VMware has since released patches for these vulnerabilities. Unfortunately, not everyone has installed them yet.
Warning for combination exploit
In their new alert, the security specialists now come with the warning that they have found an exploit that combines three of the previously found vulnerabilities. This new exploit allows cybercriminals to remotely run code as root.
More specifically, the exploit provides access to VMware appliances connected over the Internet and allows cybercriminals to perform lateral movements of login credentials stored on these appliances. In the latter case, consider sensitive information from VMware VRealize Log Insight hosts, such as API keys and session tokens, among others. This allows the hackers to penetrate deeper into the systems of the affected organizations. With dire consequences.
Horizon3 specialists have now published a number of indicators that end users can use to check whether their VMware appliances are vulnerable to the new exploit. These include the log entries on the Log Insight server and the network traffic going to and from the Log Insight server. The researchers will present more detailed information soon.
Patching highly desirable
Cybercriminals can easily exploit the new exploit, the researchers further point out. However, they must have a certain infrastructure setup for offering the malicious payloads to do so.
The researchers have now determined that 45 Internet-connected appliances worldwide are already being abused by the new exploit. They therefore call for VMware’s patches for the four previously found exploits to be implemented as soon as possible.
Also read: What are the current cyber security threats?