Warning - Two Critical and two important security vulnerabilities in VMWare vRealize Log Insight
CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, and CVE-2022-31711
VMWARE - https://www.vmware.com/security/advisories/VMSA-2023-0001.html
An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
Since a PoC has been published, exploitation of this vulnerability in the wild has become more likely.
Multiple vulnerabilities in VMware vRealize Log Insight were privately reported to VMware. Updates and workarounds are available to address these vulnerabilities in affected VMware products.
CVE-2022-31706 is a vRealize Log Insight Directory Traversal Vulnerability.
CVE-2022-31704 is a vRealize Log Insight broken access control vulnerability.
For both CVE-2022-31706 and CVE-2022-31704, an unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
CVE-2022-31710 is a deserialization vulnerability that can be triggered remotely to cause denial of service.
CVE-2022-31711 is an information disclosure flaw that attackers can exploit to remotely collect sensitive session and application information without authentication.
To remediate CVE-2022-31706, CVE-2022-31704, CVE-2022-31710 and CVE-2022-31711 apply the updates listed via this URL: https://customerconnect.vmware.com/downloads/details?downloadGroup=VRLI-...
Workarounds for CVE-2022-31706, CVE-2022-31704, CVE-2022-31710 and CVE-2022-31711 can be found via this URL: https://kb.vmware.com/s/article/90635.
The CCB recommends organisations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied. The external research in the references section provides guidance on how to detect exploitation based on application logs, firewall logs and network traffic.
VMWare (Security Advisory) - https://www.vmware.com/security/advisories/VMSA-2023-0001.html#
VMWare (remediation) - https://customerconnect.vmware.com/downloads/details?downloadGroup=VRLI-...
VMWare (workaround) - https://kb.vmware.com/s/article/90635
VMWare (release notes) - https://docs.vmware.com/en/vRealize-Log-Insight/8.10/rn/vrealize-log-ins...
External research: https://www.horizon3.ai/vmware-vrealize-cve-2022-31706-iocs/
For future reference:
Focus on detection - https://www.horizon3.ai/vmware-vrealize-cve-2022-31706-iocs/
Deep dive + PoC - https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive/