Three security vulnerabilities affecting VMware's vRealize Log Insight platform now have public exploit code circulating, offering a map for cybercriminals to follow to weaponize them. These include two critical unauthenticated remote code execution (RCE) bugs.
The vRealize Log Insight platform (which is transitioning its name to Aria Operations) provides intelligent log management "for infrastructure and applications in any environment," according to VMware, offering IT departments access to dashboards and analytics that have visibility across physical, virtual, and cloud environments, including third-party extensibility. Usually loaded onto an appliance, the platform can have highly privileged access to the most sensitive areas of an organization's IT footprint.
"Gaining access to the Log Insight host provides some interesting possibilities to an attacker, depending on the type of applications that are integrated with it," said Horizon.ai researcher James Horseman, who did a deep dive into the public exploit code this week. "Often, logs ingested may contain sensitive data from other services and may allow an attack to gather session tokens, API keys, and personally identifiable information. Those keys and sessions may allow the attacker to pivot to other systems and further compromise the environment."
Organizations should take note of the risk, especially since the barrier to exploitation for the bugs — aka, the access complexity — is low, says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), which reported the vulnerabilities.
"If you are doing centralized log management with this tool, it represents a significant risk to your enterprise," he tells Dark Reading. "We recommend testing and deploying the patch from VMware as soon as possible."
The two critical issues carry severity scores of 9.8 out of 10 on the CVSS scale and could allow an "unauthenticated, malicious actor to inject files into the operating system of an impacted appliance which can result in remote code execution," according to the original VMware advisory.
One (CVE-2022-31706) is a directory traversal vulnerability; the other (CVE-2022-31704) is a broken access control vulnerability.
The third flaw is a high-severity deserialization vulnerability (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to "remotely trigger the deserialization of untrusted data, which could result in a denial of service."
Horizon.ai researchers, after identifying the exploit code in the wild, discovered that the three issues could be chained together, prompting VMware to update its advisory today.
"This [combined] vulnerability [chain] is easy to exploit; however, it requires the attacker to have some infrastructure setup to serve malicious payloads," Horseman wrote. "This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system."
That said, he offered a silver lining: The product is intended for use in an internal network; he noted that Shodan data turned up 45 instances of the appliances being publicly exposed on the Internet.
That does not, however, mean that the chain can’t be used from within.
"Since this product is unlikely to be exposed to the Internet, the attacker likely has already established a foothold somewhere else on the network," he noted. "If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”
The three bugs were first disclosed last week by the virtualization giant as part of a cache that also included one other, a medium-severity information-disclosure bug (CVE-2022-31711, CVSS 5.3) that could allow data harvesting without authentication. The latter doesn't yet have public exploit code, though that could quickly change, particularly given how popular of a target VMware offerings are for cybercriminals.
There could also soon be multiple ways to exploit the other issues, too. "We have proof-of-concept code available to demonstrate the vulnerabilities," ZDI's Childs says. "We would not be surprised if others figured out an exploit in short order."
To protect their organizations, admins are urged to apply VMware's patches, or apply a published workaround as soon as possible. Horizon.ai has also published indicators of compromise (IoCs) to help organizations track any attacks.
Also, "if you are using vRealize or Aria Operations for centralized log management, you need to check what type of exposure that system has," Childs advises. "Is it connected to the Internet? Are there IP restrictions for who can access the platform? These are additional items to consider beyond patching, which should be your first step. It's also a reminder that every tool or product in an enterprise represents a potential target for attackers to gain a foothold."
Security teams working to secure their organizations against a nearly two-year-old vulnerability in VMware's ESXi hypervisor technology that attackers suddenly began exploiting en masse last week must pay attention to all ESXi hosts in the environment, not just Internet-accessible ones.
That's the advice of security vendor Bitdefender after it analyzed the threat and discovered that attackers can exploit it in multiple ways.
The vulnerability in question, CVE-2021-21974, is present in VMware's implementation of a service delivery protocol in ESXi called Open Service Location Protocol (OpenSLP). The vulnerability gives unauthenticated attackers the ability to remotely execute malicious code on affected systems without any user interaction.
VMware disclosed the vulnerability in February 2021 and issued a patch for it at the same time. Since then, attackers have targeted it heavily and made CVE-2021-29174 one of the most exploited vulnerabilities in 2021 and 2022. On Feb. 3, France's computer emergency response team warned about bad actors exploiting CVE-2021-21974 to distribute a ransomware variant dubbed ESXiArgs ransomware on ESXi hosts around the world.
The widespread nature of the attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to release a recovery script that victims of ESXiArgs could use to try to recover their systems.
Martin Zugec, technical solutions director at Bitdefender, says though the initial compromise vector remains unknown, a popular theory is that it is via direct exploitation through Internet-exposed port 427. VMware itself has recommended that if organizations cannot patch immediately, they should block access to port 427.
While that measure can slow down an adversary, it does not eliminate risk from the flaw entirely because attackers can exploit the vulnerability in other ways as well, Zugec says. If an organization blocks port 427, for instance, an attacker could still compromise one of the virtual machines running on an ESXi host via any existing vulnerability.
They could then escape the compromised virtual machine to exploit the vulnerability in OpenSLP and gain root access to the host, he says.
"Threat actors can use any existing vulnerability to compromise a virtual machine — whether it's Linux or Windows-based," Zugec notes.
A threat actor can also relatively easily buy on the Dark Web access to a previously compromised virtual machine and attempt OpenSLP remote code execution against the hosting hypervisor, he says.
"If successful, the threat actor can gain access not only to the hypervisor host, but also to all other machines running on the same server," Zugec says. "The OpenSLP exploit in this case would allow a threat actor to escalate their access and move laterally to other — potentially more valuable — machines."
Zugec says Bitdefender has so far seen no evidence of attackers exploiting the VMware ESXi vulnerability in this manner. But, given the major focus on direct exploitation via port 427, Bitdefender wanted to warn the public about other methods to exploit this vulnerability, he says. In addition to blocking access to port 427, VMware has also recommended that organizations that cannot patch CVE-2021-21974 simply disable SLP where possible.
Bitdefender said its analysis of the latest attacks targeting CVE-2021-21974 suggest that the threat actors behind them are opportunistic and not very sophisticated. Many of the attacks appear completely automated in nature, from initial scans for vulnerable systems to ransomware deployment.
"We can compare this to WannaCry," Zugec notes. "While these attacks can reach a wide range of machines, the impact remains limited."
But more sophisticated threat actors would use the flaw in ESXi to conduct a much larger operation, he says. Initial access brokers, for instance, could deploy a remote Web shell and disable SLP service so other threat actors cannot exploit the same flaw. They could then simply lie in wait for the best opportunity to monetize their access. Potential options could include data theft, surveillance, and cryptojacking.
To fully address the risk of a cyberattack exploiting the VMware vuln, Bitdefender — like VMware and others — recommends that organizations apply the patch for it immediately.
By exploiting the vulnerabilities in VMware’s vRealize Log Insight tool, an attacker could seize control of an impacted system, the U.S. cybersecurity agency said Wednesday.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging the deployment of patches for vulnerabilities affecting a VMware log management and analytics tool, including two vulnerabilities that have received a “critical” severity rating from VMware.
The two critical vulnerabilities affecting VMware’s vRealize Log Insight tool could be leveraged to enable remote execution of code on a system by an unauthenticated user, the company said. In other words, “a remote attacker could exploit these vulnerabilities to take control of an affected system,” CISA said in its advisory Wednesday.
“CISA encourages users and administrators to review VMware Security Advisory VMSA-2023-0001 and apply the necessary updates,” the agency said.
[Related: Microsoft Seeing Exploits Of Windows Zero Day Vulnerability]
While both VMware and CISA are referring to the affected tool as vRealize Log Insight in their advisories, presumably because that is the more-recognizable name, the tool has actually been renamed and is official now known as VMware Aria Operations for Logs, according to VMware’s website.
The two VMware vulnerabilities that could enable remote code execution are:
The two other vRealize Log Insight vulnerabilities disclosed this week by VMware include a deserialization vulnerability (with a severity score of 7.5, considered to be of “important” severity) and an information disclosure vulnerability (with a severity score of 5.3, considered to be of “moderate” severity).
When it comes to the ongoing issue of needing to address vulnerabilities in software, the key for organizations is to get a handle on what the real business impact will be from any given vulnerability — and then prioritize accordingly, according to Brad Davenport, vice president of technical architecture for cybersecurity, networking and collaboration at Logicalis US, No. 66 on the 2022 CRN Solution Provider 500.
“With so many different solutions in your infrastructure, with so many different software suites, you can’t possibly be expected to be 100 percent patched all of the time,” Davenport told CRN. “It’s a constant prioritization game to determine what ultimately is the business impact, and then to really prioritize those things.”
Being able to prioritize in that way, however, is an area that many businesses struggle with. Many businesses “have not yet reached that level of maturity, where they understand what the real business impact of vulnerabilities are,” he said.
That’s prompted many organizations to seek out advisory services for these types of scenarios from providers that offer them such as Logicalis US, Davenport said.
“What we’ve tried to do is push that conversation further outside of the IT decision makers, and talk more generally with the business leaders and business owner about risks” from issues such as software vulnerabilities, he said.
© 1996-2023 Ziff Davis, LLC., a Ziff Davis company. All Rights Reserved.
PCMag, PCMag.com and PC Magazine are among the federally registered trademarks of Ziff Davis and may not be used by third parties without explicit permission. The display of third-party trademarks and trade names on this site does not necessarily indicate any affiliation or the endorsement of PCMag. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.
The Cybersecurity and Infrastructure Security Agency (CISA) is stepping up efforts to help thousands of VMware customers hammered in waves of ransomware attacks exploiting a two-year old security vulnerability.
“CISA is working with our public and private sector partners to assess the impacts of these reported incidents and provide assistance where needed,” a CISA spokesperson told SC Media. “Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”
[Editor's Note: For an update to CISA's efforts to help VMware ESXi ransomware victims see CISA releases ESXiArgs-recovery tool for VMware ransomware victims]
The large-scale ransomware attacks are ongoing and have targeted thousands of VMware ESXi servers worldwide, with many more unpatched servers at high risk of exploitation, according to experts.
Europe is the worst-affected region, while North America also has a high number of targets, according to Italy’s National Cybersecurity Agency, one of the first few agencies sending out the alert over the weekend.
A VMware spokesperson told SC Media that the hack exploits a two-year-old VMware vulnerability, identified as CVE-2021-2194. Given that a patch was made available back in February 2021, customers should immediately apply it if they have not done so, the spokesperson said.
Nearly 3,200 VMware ESXi servers worldwide have been compromised in this ransomware campaign, dubbed as ESXiArgs, according to a Censys search via Bleeping Computer. France is the most affected country, followed by the United States, Germany and Canada.
U.S. cybersecurity officials said they are aware of the report and are working to assess the impacts. Beyond telling effected VMware customers to report incidents of attack against vulnerable ESXi servers, it's unclear what level of support CISA is offering.
One of CISA’s goals is fostering a public and private sector partnerships. In 2021, incoming CISA Director Jen Easterly announced the formation of a Joint Cyber Defense Collaborative (JCDC). Over 20 cybersecurity firms are part of the collaborative, with ransomware being the group’s initial focus.
A past example of CISA’s JCDC collaboration with the private sector was assisting with remediation efforts for Log4Shell. At the time, CISA created a Slack channel to share near-real time threat intelligence and created a clearinghouse of information on the threat. It also helped the private sector to take collective action to reduce Log4Shell risks.
Patrick Tiquet, VP of security and architecture at Keeper Security, said that the incidents exemplify the inadequacies of patching within the security community.
“VMware shared these vulnerabilities and released the update to remediate them nearly two years ago,” Tiquet said. “It should come as no surprise that threat actors are now taking advantage of known vulnerabilities at organizations that failed to deploy the security patches.”
And considering the ubiquity, criticality, and increasingly broad adoption of technologies like ESXi, it should be at the top of patching priorities, Jack Danahy, VP of strategy and innovation at NuHarbor Security, added.
Boris Cipot, senior security engineer from Synopsys Software Integrity Group, said that “a planned procedure” and “a thorough approach” are needed to patch the software efficiently and avoid similar incidents in the future.
The deal is already being probed by the European Commission because of concerns that Broadcom could restrict competition in the market for certain hardware components that interoperate with VMware’s software.
Broadcom’s planned acquisition of VMware is facing another challenge, as a UK authority has begun an investigation.
The Competition and Markets Authority (CMA) has launched the first stage of an investigation into the merger bid, to assess if it could impact competition within UK markets.
The $61bn deal was one of the largest announcements in the tech sector last year. If approved, it would see the Broadcom Software Group rebrand and operate as VMware, incorporating Broadcom’s infrastructure and security software as part of an expanded VMware portfolio.
But concerns have been raised about the potential this deal has in restricting competition, due to the power of both companies individually. Last month, the European Commission began an in-depth investigation into the merger bid.
Last November, the CMA opened an invitation from “any interested party” to comment on the proposed deal, while it considered whether to investigate.
The UK authority has given a date of 22 March to make a “phase 1 decision”, which could lead to more in-depth investigation. The watchdog hasn’t shared any specific data on what it will investigate and said this decision date could change.
Last month, the European Commission shared concerns that the deal would allow Broadcom to restrict competition in the market for certain hardware components that interoperate with VMware’s software.
For example, the EU investigation is examining whether Broadcom may hinder the development of smart network interface cards (smartNICs). This would be significant as VMware launched Project Monterey in 2020 with smartNIC sellers Nvidia, Intel and AMD Pensando.
The commission said Broadcom could decrease VMware’s involvement in this project to protect its own NIC revenues, which could “hamper innovation to the detriment of customers”.
Broadcom previously said the deal aligns with its strategy of scaling its software business and would offer new growth opportunities. The semiconductor giant took a big leap into the software sector when it acquired enterprise software vendor CA Technologies for almost $19bn in 2018.
It previously made a $103bn takeover bid for Qualcomm, but the deal was blocked by then US president Donald Trump in 2018 over national security concerns.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
If you have an ad-blocker enabled you may be blocked from proceeding. Please disable your ad-blocker and refresh.