VMware has released updates for a group of four vulnerabilities in its vRealize Log Insight logging platform, three of which can be combined to achieve remote code execution with root privileges. Researchers have developed a working exploit for the bug chain and are urging enterprises to install the patches as soon as possible.
The four vulnerabilities in vRealize Log Insight include a directory traversal flaw, an information disclosure bug, a broken access control bug, and a denial-of-service flaw. The first three of those bugs can be chained together to give an attacker the ability to run code as root. VMware released updates to address the bugs on Jan. 24, but now researchers at Horizon3 have developed a working exploit for the bugs and have published it on GitHub.
The attack that the Horizon3 team developed exploits the Thrift services in vRealize Log Insight, and it requires that the target server establish an outbound connection to a remote server to download the payload. The researchers said the bugs are not difficult to exploit, but a successful attack would likely require an adversary to have some access to the target network in advance.
“This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payloads. Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network. This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done,” James Horseman of Horizon3 said in a post analyzing the flaws.
“Gaining access to the Log Insight host provides some interesting possibilities to an attacker depending on the type of applications that are integrated with it. Often logs ingested may contain sensitive data from other services and may allow an attack to gather session tokens, API keys, and PII. Those keys and sessions may allow the attacker to pivot to other systems and further compromise the environment.”
The vulnerabilities affect version 8.x of vRealize Log Insight, and the fixed version is 8.10.2.
VMware also has released workarounds for the bugs for organizations that aren’t able to update right away.