Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label ZDI. Show all posts

Specifically, Targeted VMware RCE Vulnerabilities

 


As of today, VMware's vRealize Log Insight platform is vulnerable to three security vulnerabilities, that have been exposed by publicly available exploit code. This has enabled cybercriminals to weaponize these vulnerabilities in a variety of ways. Several critical unauthenticated remote code execution (RCE) bugs have been found. 

In the vRealize Log Insight platform, VMware claims that the platform is moving forward under the name Aria Operations, which provides intelligent log management for infrastructures and applications "in any environment," VMware states. In addition to offering IT departments visibility across physical, virtual, and cloud environments, dashboards and analytics are also able to be extended by third parties. This is done through the use of third-party extensions. 

This platform is typically incorporated into an appliance and can gain access to sensitive areas of an organization's IT infrastructure across a wide range of devices. 

Once an attacker has gained access to the Log Insight host, he could exploit some interesting features depending on the type of application he integrates with. This is according to Horizon.ai researcher James Horseman, who examined the publicly available exploit code. Often, the ingested logs may include sensitive information from other services. This includes session tokens, API keys, and personally identifiable information, all of which can be gathered during an attack. Having acquired keys and sessions on one system, one could pivot to another. This would enable one to further compromise the system by obtaining the key and session from the other system. 

As a result, according to Dustin Childs, chief executive officer of Trend Micro's Zero Day Initiative (ZDI), the organization responsible for disclosing the vulnerabilities, organizations need to be aware of the risks associated, particularly since these bugs and their accessibility are low barriers to exploitation. 

This type of centralized log management tool can be used in an enterprise to do centralized log management. However, using this tool for this type of centralized log control poses a substantial risk for the enterprise. This is because VMware recommends that the patch be tested and deployed as quickly as possible after it has been received by you. 

VMware vRealize Log Insight Bugs: An In-Depth Look 

According to the original VMware advisory, both critical issues carry severity scores of 9.8 out of 10. As a result, malicious actors may be able to inject files into an impacted appliance's operating system. This could result in remote code execution if an unauthenticated, malicious actor can perform such a task. 

A first-case vulnerability (CVE-2022-3172) allows an attacker to traverse a directory, which is the most serious vulnerability; a second-case vulnerability (CVE-2022-31704) allows an attacker to exploit some issues with access control. 

As for the third flaw, it is a denial of service vulnerability that is less likely to trigger a denial of service due to its risk of being exploited by an unauthenticated malicious actor (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to remotely trigger a denial of service. 

Creating a Bug Chain to Facilitate a full Takeover of a System

It was revealed by researchers at Horizon.ai that the three exploit issues could have been chained together after they identified the code in the wild. This led VMware to update its advisory today as a result. 

As Horseman wrote, it is apparent that this particular vulnerability chain [combined] can be exploited very easily. However, he added that it requires some kind of infrastructure setup to serve malicious payloads to the attacker. There is an issue with this vulnerability that allows remote code execution as root, which means an attacker can take full control of a computer by exploiting this vulnerability. 

However, he did point out that the product is intended for use in an internal network. There were 45 cases out there in which the appliances were discovered to be publicly exposed on the internet based on Shodan data. Despite that, it should be noted that the chain can be used both internally and externally. 

"It's very likely that the attacker already has a foothold somewhere else on the network by the time they target this product since this product is not likely to be exposed to the Internet," he noted. To determine if there has been any damage caused by an attacker, additional investigation is necessary.

The virtualization giant released a cache containing the three vulnerabilities last week as part of a larger cache that contained one other weakness. A medium-severity vulnerability that has the potential to enable data harvesting without authentication (CVE-2022-31711, CVSS 5.3) is another weakness. Currently, there is no public exploit code for the latter, but that could change shortly, especially since cybercriminals are becoming increasingly interested in VMware's offerings. 

Likely, other issues could also be exploited in a variety of ways in the future. To prove that the vulnerabilities exist, ZDI's children claim that they have proof-of-concept code available. The researchers did not think it would be a surprise if others were able to come up with an exploit quickly. 

What are the Best Practices for Protecting an Enterprise? 

Admins should apply VMware's patches to their organizations as soon as possible to ensure that their organizations are protected, or use another workaround recommended by VMware. A recent release by Horizon.ai has also enabled organizations to track the progress of any attacks by publishing indicators of compromise (IoCs). 

The key to ensuring that your log data is protected is to make sure that you are using either vRealize or Aria Operations for centralized log management, Childs advises. Aside from patching, which should be the first step, there are other things to consider. These include whether it is connected to the Internet and whether there is an IP restriction on who can access the platform. Furthermore, it reminds us that every tool or product within an organization is a potential target for an attacker to gain a foothold.   

Pwn2Own 2021 Will Also Cover Zoom, MS Teams Exploits

 

Trend Micro's Zero Day Initiative (ZDI) on Tuesday announced the targets, prizes, and rules for the Pwn2Own Vancouver 2021 hacking competition. Pwn2Own Vancouver ordinarily happens during the CanSecWest conference in Vancouver, Canada, but because of the Covid pandemic, the current year's occasion will be hybrid — members can present their exploits remotely and ZDI staff in Toronto (Canada) and Austin (Texas) will run the exploits. The attempts will be live-streamed on YouTube and Twitch.

The prize pool for Pwn2Own 2021 surpasses $1.5 million in cash and other prizes, including a Tesla Model 3. The vehicle is being offered to individuals who take an interest in the automotive category. In this category, in addition to the vehicle, hackers can procure up to $600,000 for hacking a Tesla. There are three difficulty levels in this category and the Model 3 is being offered in every one of them. 

ZDI has likewise declared another category for the forthcoming occasion. As a feature of the new enterprise communications category, participants can acquire up to $200,000 for demonstrating exploits against Zoom or Microsoft Teams. “As the workforce moves out of the office and goes remote, the tools needed to support that change become greater targets. That’s one reason we added this new category and teamed up with Zoom to have them in the contest. Microsoft Teams will also be a target. A successful demonstration of an exploit in either of these products will earn the contestant $200,000 – quite the payout for a new category,” reads the announcement published by ZDI. “A successful attempt in this category must compromise the target application by communicating with the contestant. Example communication requests could be audio call, video conference, or message,” ZDI said. 

Different categories incorporate virtualization, with a top prize of $250,000 for Microsoft Hyper-V client exploits, an internet browser category, with a top prize of $150,000 for Chrome and Edge exploits, an enterprise application category, with the greatest prize of $100,000 for Microsoft 365 exploits, a server category, with up to $200,000 offered for Microsoft Exchange and Windows RDP exploits, and a local privilege escalation category, with $40,000 being the top prize for Windows 10 exploits.