Archive for Publishes POC & Deep Dive For VMware vRealize Log Insight RCE

Posted in Commentary with tags on January 31, 2023 by itnerd has just published “VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive” on the new CVEs affecting VMware vRealize Log Insight, which were reported by ZDI. 

Three of these CVEs can be combined to give an attacker remote code execution as root, and the vulnerability is exploitable in the default configuration for VMware vRealize Log Insight. The team has successfully reproduced the exploit and would like to provide the technical details about how this vulnerability works. The team’s POC can be found on GitHub.

VMware vRealize Log Insight is used across enterprises to collect logs and provide analytics. This vulnerability poses moderate risk to organizations, allowing attackers initial access, if exposed to the internet, and the ability for lateral movement with any stored credentials. The Attack Team has published the data so users can determine if they have been compromised. Exploit Developer James Horseman noted when issuing indicators of compromise: “This vulnerability is easy to exploit, however, it requires the attacker to have some infrastructure setup to serve malicious payloads. Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network. 

   “This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”

VMware has released an advisory and patches and workarounds for these vulnerabilities and the team urges all VMware users to heed the VMWare advisory and patch or apply the workaround immediately. Intros NodeZero App For Splunkbase & Offers Free Trial

Posted in Commentary with tags on June 23, 2022 by itnerd introduced the NodeZero app for Splunk, available via Splunkbase. It enables Splunk environments to leverage NodeZero and the attacker’s perspective to improve the effectiveness of Splunk deployments and ensure they’re logging the right data to get the most out of Splunk. 

The NodeZero app for Splunk can automate data pulls from NodeZero APIs which are then ingested into the Splunk Cloud Platform. The app will integrate with the Splunk user experience to help users: 

  • Find, fix, and verify logging blind spots
  • Decide where to increase and decrease logging based on the criticality of the host
  • Take inventory of assets and reconcile the attacker’s perspective of your cyber terrain

Splunk administrators are often under pressure to maximize their license value – it’s often impossible to log everything, so it’s hard to know if they are expending resources appropriately to ensure they’re logging the right data. NodeZero can help identify where logging is most needed, so that the organization’s resources are deployed for maximum impact.

NodeZero maintains an action log of every command it has executed during a pentest. The NodeZero App for Splunk offers insights to identify blind spots in logging and create a fast feedback loop to find, fix, and verify missing data by using the action log to highlight what should have been detected when particular exploits were executed.

Identifying critical hosts: Not all hosts are critical. Some are important enough to log everything, while others may not have access to data or critical systems and thus have less requirements for logging. NodeZero is able to identify risk on specific hosts with context. For ExampleA “low” criticality server in the CMDB might have enabled an attack path where NodeZero ultimately achieved Domain Admin – NodeZero would dynamically reclassify this host as CRITICAL risk based on the proven attack path and impact during a pentest operation. It lets organizations leverage the attacker’s perspective provided by NodeZero to inform their Splunk logging strategy.

Revealing “ghost hosts” & shadow IT: NodeZero inventories every reachable host within the organization’s environment during a pentest. This can often easily reveal a blind spot: are all those hosts seen in Splunk Cloud Platform? Often organizations will find hosts they didn’t know existed, were unaware had been added, or even rogue devices that aren’t known to anyone (shadow IT). The app lets users reconcile NodeZero-discovered hosts with existing IT assets in Splunk – marrying the traditional and the attacker’s perspectives to achieve greater insight. is also offering a free trial of the NodeZero App for Splunk. NodeZero Offers True Understanding of Cyber Risk Profile Across The Entire Environment

Posted in Commentary with tags on June 1, 2022 by itnerd today announced it has extended the capabilities of its NodeZero platform to include external penetration testing. With this enhancement, is the first autonomous penetration testing platform to offer organizations both internal and external penetration testing in one self-service platform.’s autonomous penetration testing platform, NodeZero, continuously assesses an enterprise’s internal infrastructure and external attack surface, identifying ways an attacker could chain together harvested credentials, misconfigurations, dangerous product defaults, and exploitable vulnerabilities to compromise systems and data. By extending NodeZero’s capabilities to include both internal and external penetration testing, organizations can now assess all their assets – including on-prem, cloud, and hybrid, from both inside and outside the perimeter.

When you combine the results of an external and internal penetration test, organizations have a true understanding of their cyber risk profile across their entire environment.

NodeZero offers organizations the following benefits:

  • Verify if public facing assets open doors to ransomware exposure – Ransomware attacks have become democratized, with criminal groups establishing Ransomware-as-a-Service (RaaS) operations, renting ransomware to recruited affiliates that, in turn, run attacks against organizations and pay a “royalty” to the RaaS providers. With NodeZero, organizations will understand what attack paths ransomware actors can exploit to breach the perimeter, move laterally within the network, and gain access to “crown jewel” data.
  • Visualize the risk and impact – See the risk and impact of misconfigured third-party applications and weak or default credentials as an attacker would use them to breach your perimeter. Credential attacks are the fastest growing attack path across the globe, and NodeZero will autonomously and safely attack your public-facing assets so you know where your most critical problems exist.
  • Improve asset management and eliminate shadow IT – With NodeZero, organizations can continuously discover their public-facing assets, hybrid cloud assets, and internal assets. NodeZero allows organizations to understand and visualize the true risk these assets pose based on real-world exploitation rather than just theoretical risk.
  • Understand third-party and supply chain risks – NodeZero can be run continuously, both internally and externally, providing an immediate understanding of third-party and supply chain risks.
  • Save time and resources – Penetration tests can be set up within minutes and executed as often as needed. NodeZero quickly identifies exploitable internal and external attack vectors and ineffective security controls. No extensive tuning, training, or certifications are required, and results are prioritized with proof, so time and resources can be spent fixing only what matters.
  • Continuous security assessments – NodeZero is every organization’s purple team partner, orchestrating hundreds of attack tools and techniques across an entire environment to chain attack paths and demonstrate real risk and impact. This isn’t an annual compliance checkbox or a limited snapshot in time. Autonomous penetration tests with NodeZero can be automated and run as often as needed to ensure that blue and red teams can focus and complement each other’s efforts.

Read more about NodeZero’s external pentesting capabilities here. Reproduces A Critical VMware Vulnerability That Grants Administrative Access

Posted in Commentary with tags , on May 24, 2022 by itnerd

The attack team at has successfully reproduced CVE-2022-22972 affecting multiple VMware products. The vulnerability allows malicious actors to gain administrative access to VMware Workspace ONE Access, Identity Manager and vRealize Automation. The fact that this was reproduced by is good for, but bad for anyone using the affected products as that means that threat actors can do the same. Then they can weaponize this.

Zach Hanley, Chief Attack Engineer,

“Last week VMware released VMware Security Advisory – 0014 which details a critical vulnerability, CVE-2022-22972, which allows a remote attacker to bypass authentication for VMware Workspace ONE, vIDM, and vRA. This vulnerability can lead to attackers gaining administrative rights on the VMware applications and may also lead to root level access on the appliances if chained with CVE-2022-22973. 

“Coinciding with VMware’s security advisory, CISA announced an Emergency Directive mandating that all government agencies patch or mitigate affected products by May 23, 2022. This 5 day remediation window was deemed necessary given the critical nature of the applications and rapid weaponization of previous CVEs. Currently, no other proof-of-concepts have been announced and no reports of in-the-wild exploitation have been noted by threat intelligence organizations. 

“A quick search on for the affected VMware applications returns a pretty low count of organizations that expose them to the internet. Of note, the healthcare, education industry, and state government all seem to be a fair amount of the types of organizations that have exposures – putting them at larger risk for current and future exploitation.

“Organizations should address these issues by immediately following the guidance within the VMware Security Advisory. 

“We will likely be releasing the technical details at the end of this week. The technical details will include analyzing the patch to understand how an attacker may have previously abused this code path.

“Given that it took us about a week to develop a PoC, we fully expect motivated attackers to have already developed a PoC and began exploiting it. We also plan on releasing a minimal PoC at the same time.”

This issue received a fix last Wednesday as described above. I strongly advise that if you are running the affected VMware products, that you patch everything immediately if you haven’t already. The list of affected products are:

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

There is also a workaround detailed here for those who can’t patch all the things immediately.