Security researchers have published a proof-of-concept (POC) exploit that lets remote and unauthenticated attackers take over VMware vRealize Log Insight as root user by chaining three recent vulnerabilities.
vRealize Log Insight is VMware’s log management tool for infrastructure and applications which boasts “actionable dashboards… and broad third-party extensibility across physical, virtual, and cloud environments.”
Four vRealize Log Insight vulnerabilities were made public in a security advisory from VMware on January 25 (CVE-2022-31706, CVE-2022-31704 (both CVSS 9.8 pre-auth RCE), CVE-2022-31710, CVE-2022-31711).
vRealize Log Insight exploit published: Best check for IOCs
Now security researchers at Horizon3.ai have published vRealize Log Insight vulnerability POC that uses some simple Python script to showcase how pre-auth RCE on the platform even in default settings.
This starts by exploiting an open source component of the software, built on Apache Thrift (a cross-language RPC framework that supports RPC clients and servers using the Thrift interface definition language.)
The rather elegant POC in brief entails:
- Creating a Thrift client for unauthenticated access to the Log Insight Thrift server.
- Creating malicious tar file containing a directory traversal using a valid Pak file.
- Using remotePakDownloadCommand, to upload the malicious Pak file to /tmp/<filename>.pak.
- Causing the Pak file to be extracted using pakUpgradeCommand to write the file elsewhere.
Some 45 instances appear to be publicly exposed said Horizon3.ai researchers.
“This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payloads,” they said. “Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network.”
VMware customers should update to 8.10.2 or follow updated mitigation steps here.