VMware remediates critical security vulnerabilities in vRealize Log Insight

Home / Threat Intelligence bulletins / VMware remediates critical security vulnerabilities in vRealize Log Insight

Target Industry

Due to the widespread utilisation of VMware products, no specific target industry has been identified.

Overview

Severity level: Critical – Compromise may result in the loss of confidentiality and integrity of data in the first instance.

On Tuesday 24th January, 2023, VMware released security patches to address two critical vulnerabilities pertaining to vRealize Log Insight or VMware Aria Operations for Logs. Successful exploitation will ultimately enable threat actors to implement remote execution techniques on unpatched appliances.

Tracked as CVE-2022-31703 and CVE-2022-31704, the vulnerabilities are associated with a directory traversal vulnerability and broken access control flaw, respectively. Successful exploitation will lead to the injection of malicious files into the operating system of target appliances, ultimately resulting in remote code execution abilities.

Both of the vulnerabilities have been tagged with a critical Common Vulnerability Scoring System (CVSS) score of 9.8/10 and can potentially be exploited by threat actors without the prerequisite requirement of user interactions.

Furthermore, VMware also provided a report with regards to a deserialisation vulnerability (tracked as CVE-2022-31710 – CVSS score: 7.5) and an Information disclosure bug (tracked as CVE-2022-31711 – CVSS score: 5.3). The former can be utilised to trigger a denial of service (DoS) attack and the latter can be exploited to access sensitive session and application details.

Impact

The following impact will inevitably occur with regards to the respective vulnerabilities:

  • CVE-2022-31703 – The vRealize Network Insight (vRNI) directory traversal vulnerability in vRNI REST API will grant a malicious actor with network access to the vRNI REST API, resulting in the ability to read arbitrary files from the server
  • CVE-2022-31704 – The vulnerability allows a remote attacker to compromise the affected system due to improper access restrictions. A remote attacker can bypass any implemented security restrictions and subsequently execute arbitrary code on the target system
  • CVE-2022-31710 – The vulnerability exists due to an insecure input validation occurring when processing serialised data. A remote non-authenticated threat actor can send specially crafted data to the application and perform a DoS attack on the target system
  • CVE-2022-31711 – The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorised access to sensitive session and application information.

Vulnerability Detection

VMware has patched the aforementioned vulnerabilities within the respective product versions. As such, previous versions are vulnerable to the potential exploits.

Affected Products

The following product versions are affected by the correlating vulnerabilities:

  • CVE-2022-31703: vRealize Log Insight: 8.0.0 – 8.10
  • CVE-2022-31704: vRealize Log Insight: 8.0.0 – 8.10
  • CVE-2022-31710: vRealize Log Insight: 8.0.0 – 8.10
  • CVE-2022-31711: vRealize Log Insight: 8.0.0 – 8.10.

Containment, Mitigations & Remediations

To mitigate the vulnerabilities reported on, VMware highly recommends upgrading to VMware vRealize Log Insight version 8.10.2.

The patch file for VMware vRealize Log Insight version 8.10.2 can be downloaded through the customer connect web page.

Indicators of Compromise

Due to confined security practices, at the time of writing, VMware will not disclose the full details of the associated vulnerabilities until the majority of users update to the latest versions of the respective product.

Threat Landscape

VMware possesses approximately 52.4% of the virtualisation market share. Threat actors generally utilise a combination of probability and asset value to decide which attack surfaces to spend their time on. As a result, VMware products have become a prime target for threat actors. Due to the fact that virtual machines have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated devices in an attempt to extract the sensitive information contained therein.

Threat Group

While there is no indication that the aforementioned vulnerabilities have been exploited in the wild, it is not uncommon for threat actors to target VMware appliances in their attacks, making it essential that the recommended patches are applied as soon as possible.

Mitre Methodologies

  • TA0002 – Remote Code Execution
  • T1499 – Denial of Service
  • T1083 – File and Directory Discovery
  • T1082 – System Information Discovery

Further Information

Intelligence Terminology Yardstick