According to Horizon3, there are four new CVEs affecting VMware vRealize Log Insight, reported by ZDI. Three of these CVEs can be combined to give an attacker remote code execution as root. This vulnerability is exploitable in the default configuration for VMware vRealize Log Insight.
In the latest blog post, Horizon3 has released all the technical details of all four vulnerabilities.
- CVE-2022-31706: VMware vRealize Log Insight Directory Traversal Vulnerability
- CVE-2022-31704: VMware vRealize Log Insight broken Access Control Vulnerability
- CVE-2022-31710: VMware vRealize Log Insight Deserialization Vulnerability
- CVE-2022-31711: VMware vRealize Log Insight Information Disclosure Vulnerability
The flaw, CVE-2022-31706, the Directory Traversal Vulnerability, and CVE-2022-31704, the Broken Access Control Vulnerability are tagged as critical severity with CVSS base scores of 9.8/10 and can be exploited by threat actors in low-complexity attacks that don't require authentication.
The researcher said the vulnerability was an abuse of the various Thrift RPC endpoints to achieve an arbitrary file write. "This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payload.
According to the Shodan data, there are only a few dozen instances publicly exposed on the internet. Additionally, earlier also Horizon3 team released an exploit for CVE-2022-22972, a critical authentication bypass security flaw affecting multiple VMware products and allowing a malicious actor to gain admin privileges on unpatched instances.