October 15, 2024
Distant code execution exploit chain accessible for VMware vRealize Log Perception

VMware printed patches final week for 4 vulnerabilities in its vRealize Log Perception product that, if mixed, may permit attackers to take over the log assortment and analytics platform. This week, a proof-of-concept exploit chain has been launched by safety researchers, together with detailed explanations for every vulnerability, that means in-the-wild assaults may quickly comply with.

“Getting access to the Log Perception host supplies some fascinating potentialities to an attacker, relying on the kind of functions which can be built-in with it,” researchers with penetration testing agency Horizon3.ai mentioned in their analysis of the failings. “Typically logs ingested could include delicate knowledge from different providers and will permit an assault to assemble session tokens, API keys, and PII. These keys and classes could permit the attacker to pivot to different techniques and additional compromise the atmosphere.”

Vulnerabilities can collectively unlock a robust assault

That is an fascinating case that showcases a standard actuality of contemporary software program safety, through which one vulnerability by itself can not result in a major compromise, however combining a number of collectively can unlock a robust assault. The primary vulnerability, tracked as CVE-2022-31704, is described by VMware in its advisory as a damaged entry management with out providing any further particulars about the place it is likely to be positioned. Nevertheless, the guide workaround script printed by the corporate alongside the product updates supplied some clues.

The script merely added a firewall rule that blocked entry to TCP ports 16520 via 16580. Based mostly on Horizon3’s investigation and notes within the vRealize Log Perception documentation, these ports are used for communication utilizing the Apache Thrift RPC (distant process name) framework. RPC is an inter-process communication protocol, via which one course of can direct one other course of to execute a sure process. “This data tells us that the vulnerability is probably going in an RPC server,” the researchers mentioned in their writeup. “Subsequent, we log into the operating system and discover that TCP port 16520 is created by a java software.”

The researchers managed to trace down the part liable for beginning a Thrift RPC server which exposes a number of distant process calls. They then constructed a easy Thrift RPC consumer to make a type of calls and noticed that the calls went via and have been executed with out authentication, therefore the damaged entry management. However this vulnerability alone, whereas offering entry to doubtlessly highly effective RPCs, shouldn’t be ample by itself to execute malicious code.

Second vulnerability is a listing traversal challenge

Enter the second vulnerability, CVE-2022-31706, which is described as a listing traversal challenge. Listing traversal is a situation that enables an attacker or a malicious course of to navigate to a filesystem path they don’t seem to be imagined to.

Whereas trying on the RPCs uncovered by the Thrift RPC the researchers discovered one referred to as remotePakDownloadCommand that downloads a file with the .pak (most likely package deal) extension and locations it within the /tmp/ listing. One other RPC referred to as pakUpgradeCommand can then be used to invoke a Python script that unpacks this file. These two instructions are used to carry out system upgdrades so the researchers realized the listing traversal flaw might be someplace within the processing of pak recordsdata.

It seems pak recordsdata are TAR format archives and their processing earlier than extraction entails validating signatures, integrity checks, manifest checks, and a number of other different steps. “If we will assemble a tar file that passes all of those checks, we’ll hit line 493 and extractFiles will parse our malicious tar, permitting us to put in writing a file with contents of our selecting to anywhere on the file system,” the researchers mentioned. “Admittedly, we spent a while manually developing a tar file that might move all of those checks earlier than we realized that we may merely use a professional improve file with a small modification to accommodate our payload.”

vRealize Log Perception pressured to obtain malicious pak file

At this level, the researchers had the knowledge required to power the vRealize Log Perception product to obtain a malicious pak file with out authentication after which place a malicious payload wherever on the system. Aside from one drawback: invoking the remotePakDownloadCommand requires a node token to work, a singular worth generated per occasion of Log Perception.

Whereas this token shouldn’t be straight accessible to an unauthenticated person, it may be leaked by invoking different RPCs reminiscent of getConfig and getHealthStatus. That is doubtless the knowledge disclosure challenge that VMware tracks in CVE-2022-31711 in its advisory.

Utilizing this, the Horizon3 researchers have been in a position to assemble a proof-of-concept exploit that locations a brand new entry into crontab—the duty scheduling mechanism on Linux-based techniques—which when executed opens a reverse shell with root privileges again to the attackers.

The fourth vulnerability in VMware’s advisory is a deserialization challenge tracked as CVE-2022-31710 that may be exploited to crash the system resulting in a denial-of-service situation. This vulnerability shouldn’t be required for the exploit chain that ends in distant code execution.

Log Perception is used to gather and analyze logs from native networks so it isn’t typical to search out such techniques uncovered to the web. Shodan searches of the general public IP area revealed solely 45 cases. Nevertheless, if an attacker beneficial properties entry to the native community, which might be achieved in some ways, and the Log Perception server shouldn’t be firewalled off, it may be compromised and doubtlessly use for lateral motion as a result of delicate knowledge it would include.

The Horizon3 researchers launched indicators of compromise that permit organizations to verify their deployments for indicators of exploitation. VMware has launched a workaround script that blocks site visitors to the port numbers related to the Thrift RPC server, in addition to model 8.10.2 of vRealize Log Perception which patches the failings.

Copyright © 2023 IDG Communications, Inc.