Penetration testing vendor Horizon3.ai published technical details and a proof-of-concept exploit for three recently discovered VMware vulnerabilities capable of remote code execution.
VMware disclosed four vulnerabilities on Jan. 24 that affect VMware log collection and analytics software vRealize Log Insight. They include directory traversal flaw CVE-2022-31706, with a critical CVSSv3 base score of 9.8; broken access control flaw CVE-2022-31704, also with a critical CVSSv3 base score of 9.8; information disclosure flaw CVE-2022-31711, with a moderate CVSSv3 base score of 5.3; and deserialization flaw CVE-2022-31710, with a CVSSv3 base score of 7.5.
Updates for the vulnerabilities are available for VMware vRealize Log Insight in the form of version 8.10.2. VMware also published workarounds as an alternative for affected customers. According to the advisory, all four flaws were reported by Trend Micro's Zero Day Initiative.
VMware said in the advisory that CVE-2022-31706 and CVE-2022-31704 are capable of remote code execution. However, on Tuesday, Horizon3.ai published technical details and a proof-of-concept exploit for CVE-2022-31706, CVE-2022-31704 and CVE-2022-31711, which can be chained together to remotely execute code. The company had previously published a blog post Friday containing indicators of compromise as well as technical details for the POC exploit.
Horizon3.ai exploit developer James Horseman wrote in Friday's blog post that the chain is "easy to exploit," though attackers will need infrastructure in place to deliver malware.
"Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network," Horseman wrote. "This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done."
Horseman urged customers to update their instances or apply workarounds, adding that while some have likely done so already, "we expect that there are many who have not yet patched." He also noted that a Shodan search revealed only 45 instances publicly exposed on the internet, as vRealize Log Insight is typically used in an internal network.
In an email to TechTarget Editorial, Horseman explained why Horizon3.ai decided to release the POC exploit shortly after VMware's disclosure.
"There are many factors that go into determining our timeline for release," he said. "The attack complexity of this exploit is so low that releasing a POC to the community is more valuable than not. The POC allows defenders to tune their tools to detect and prevent this exploit."
Dustin Childs, communications manager for ZDI, told TechTarget editorial that the four VMware vulnerabilities in vRealize Log Insight were reported to ZDI by an anonymous researcher.
"While the researcher did not specify how they found this vulnerability, based on their write-up, they likely looked into the Java JAR files used by the VMware vRealize suite," Childs said. "We have a few other VMware bug reports awaiting resolution and we will likely blog about the details once they have all been addressed by VMware."
VMware on Tuesday updated its advisory to note that it "has confirmed that exploit code for CVE-2022-31706, CVE-2022-31704, and CVE-2022-31710 have been published."
Alexander Culafi is a writer, journalist and podcaster based in Boston.