VMware on Tuesday released software to remediate four security vulnerabilities affecting vRealize Log Insight (aka Aria Operations for Logs) that could expose users to remote code execution attacks.
Two of the flaws are critical, carrying a severity rating of 9.8 out of a maximum of 10, the virtualization services provider noted in its first security bulletin for 2023.
Tracked as CVE-2022-31706 and CVE-2022-31704, the directory traversal and broken access control issues could be exploited by a threat actor to achieve remote code execution irrespective of the difference in the attack pathway.
"An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution," the company said of the two shortcomings.
A third vulnerability relates to a deserialization flaw (CVE-2022-31710, CVSS score: 7.5) that could be weaponized by an unauthenticated attacker to trigger a denial-of-service (DoS) condition.
Lastly, vRealize Log Insight has also been found susceptible to an information disclosure bug (CVE-2022-31711, CVSS score: 5.3) which could permit access to sensitive session and application data without any authentication.
The Zero Day Initiative (ZDI) has been credited for reporting all the flaws. Besides releasing version 8.10.2 to address the issues, VMware has also provided workarounds to mitigate them until the patches can be applied.
While there is no indication that the aforementioned vulnerabilities have been exploited in the wild, it's not uncommon for threat actors to target VMware appliances in their attacks, making it essential that the fixes are applied as soon as possible.
Update — PoC Released for VMware Flaws
A proof-of-concept (PoC) exploit has been released for the recently patched security flaws in the VMware vRealize Log Insight vulnerability that offers a blueprint for attackers to gain remote code execution on unpatched appliances.
The exploit entails chaining together three flaws – CVE-2022-31704, CVE-2022-31706, and CVE-2022-31711 – to achieve an arbitrary file write on the affected system.
"Gaining access to the Log Insight host provides some interesting possibilities to an attacker, depending on the type of applications that are integrated with it," Horizon3.ai researcher James Horseman said.
It, however, bears noting that while the flaws are trivial to exploit, it banks on the prerequisite that the adversary has an infrastructure in place to serve the malicious payloads and has already established a foothold on the network by other means since there are lesser chances of the product being exposed to the internet.