VMware has issued fixes for four vulnerabilities, including two critical 9.8-rated remote code execution bugs, in its vRealize Log Insight software.
There are no reports (yet) of nation-state thugs or cybercriminals finding and exploiting these bugs, according to VMware. However, it’s a good idea to patch sooner than later to avoid being patient zero.
vRealize Log Insight is a log management tool – everyone’s favourite tas, not – and while it may not be as popular as some of the virtualization giant’s other products, VMware’s ubiquity across enterprises and governments and practice of bundling products means holes in its products are always very attractive targets for miscreants looking to make a buck and/or steal sensitive information.
Case in point: the state-sponsored Iranian crew that, in November, exploited the high-profile Log4j vulnerability to infiltrate an unpatched VMware Horizon server within the US federal government and deployed the XMRig crypto miner.
The two most serious bugs in today’s security advisory include a directory traversal vulnerability (CVE-2022-31703) and a broken access control vulnerability (CVE-2022-31704). Both received a near-perfect 9.8 out of 10 CVSS rating.
While the two flaws provide different paths for a miscreant to gain unauthorized access to restricted resources, the result of a successful exploit is the same.
“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware warned about both critical bugs.
The third bug, CVE-2022-31710, is a deserialization vulnerability in vRealize Log Insight that could allow an unauthenticated, remote attacker to manipulate data and cause a denial of service attack. It’s in the important severity range, with a 7.5 CVSS score.
And finally, CVE-2022-31711 is an information disclosure bug that could allow an unauthenticated attacker to remotely steal sensitive session and application information. It received a 5.3 severity rating.
Updating to VMware vRealize Log Insight 8.10.2 should plug all four holes, according to the vendor, and VMware issued workaround instructions as well.
The Zero Day Initiative found all four bugs and reported them to VMware.
“We’re not aware of any public exploit code or active attacks using this vulnerability,” Dustin Childs, head of threat awareness at Trend Micro’s ZDI, told The Register. “While we have no current plans to publish proof of concept for this bug, our research in VMware and other virtualization technologies continues.”
The latest security holes come a couple of months after VMware disclosed three critical-rated flaws in Workspace ONE Assist for Windows – a product used by IT and help desk staff to remotely take over and manage employees’ devices.
Those flaws were rated 9.8 out of 10 on the CVSS scale.
A miscreant able to reach a Workspace ONE Assist deployment, either over the internet or on the network, can exploit any of these three bugs to obtain administrative access without the need to authenticate. Then, the intruder or rogue insider can contact users to offer them assistance that is anything but helpful, such as seizing control of devices. ®