Last week, VMware released patches for four vulnerabilities in its vRealize Log Insight product. If these vulnerabilities were combined, it could allow attackers to take control of the log collection and analytics platform. Security researchers have now released a proof-of-concept exploit chain, along with detailed explanations for each vulnerability, which could lead to attacks in the wild. Gaining access to the Log Insight host could give attackers access to sensitive data from other services, such as session tokens, API keys, and PII. This could allow them to pivot to other systems and further compromise the environment. The first vulnerability, CVE-2022-31704, is a broken access control issue. VMware's manual workaround script blocked access to TCP ports 16520 through 16580, which are used for communication using the Apache Thrift RPC framework. The second vulnerability, CVE-2022-31706, is a directory traversal issue. The researchers found an RPC called remotePakDownloadCommand that downloads a file with the .pak extension, and another RPC called pakUpgradeCommand that can be used to invoke a Python script that unpacks this file. The third vulnerability, CVE-2022-31711, is an information disclosure issue that can be used to leak a node token. The fourth vulnerability, CVE-2022-31710, is a deserialization issue that can be exploited to crash the system and cause a denial-of-service condition. This vulnerability is not required for the exploit chain that results in remote code execution. Log Insight is not typically exposed to the internet, but if an attacker gains access to the local network, they can exploit the vulnerabilities to gain access to sensitive data and use it for lateral movement. VMware has released a workaround script and version 8.10.2 of vRealize Log Insight, which patches the flaws.
This Cyber News was published on www.csoonline.com. Publication date: Thu, 02 Feb 2023 21:23:03 +0000