Horizon3.ai Publishes POC & Deep Dive For VMware vRealize Log Insight RCE

Horizon3.ai has just published “VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive” on the new CVEs affecting VMware vRealize Log Insight, which were reported by ZDI. 

Three of these CVEs can be combined to give an attacker remote code execution as root, and the vulnerability is exploitable in the default configuration for VMware vRealize Log Insight. The Horizon3.ai team has successfully reproduced the exploit and would like to provide the technical details about how this vulnerability works. The team’s POC can be found on GitHub.

VMware vRealize Log Insight is used across enterprises to collect logs and provide analytics. This vulnerability poses moderate risk to organizations, allowing attackers initial access, if exposed to the internet, and the ability for lateral movement with any stored credentials. The Horizon3.ai Attack Team has published the data so users can determine if they have been compromised. 

Horizon3.ai Exploit Developer James Horseman noted when issuing indicators of compromise: “This vulnerability is easy to exploit, however, it requires the attacker to have some infrastructure setup to serve malicious payloads. Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network. 

   “This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”

VMware has released an advisory and patches and workarounds for these vulnerabilities and the team urges all VMware users to heed the VMWare advisory and patch or apply the workaround immediately.

Leave a Reply

%d bloggers like this: