The IT Nerd

Horizon3.ai has just published “VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive” on the new CVEs affecting VMware vRealize Log Insight, which were reported by ZDI. 

Three of these CVEs can be combined to give an attacker remote code execution as root, and the vulnerability is exploitable in the default configuration for VMware vRealize Log Insight. The Horizon3.ai team has successfully reproduced the exploit and would like to provide the technical details about how this vulnerability works. The team’s POC can be found on GitHub.

VMware vRealize Log Insight is used across enterprises to collect logs and provide analytics. This vulnerability poses moderate risk to organizations, allowing attackers initial access, if exposed to the internet, and the ability for lateral movement with any stored credentials. The Horizon3.ai Attack Team has published the data so users can determine if they have been compromised. 

Horizon3.ai Exploit Developer James Horseman noted when issuing indicators of compromise: “This vulnerability is easy to exploit, however, it requires the attacker to have some infrastructure setup to serve malicious payloads. Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network. 

   “This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”

VMware has released an advisory and patches and workarounds for these vulnerabilities and the team urges all VMware users to heed the VMWare advisory and patch or apply the workaround immediately.

Horizon3.ai introduced the NodeZero app for Splunk, available via Splunkbase. It enables Splunk environments to leverage NodeZero and the attacker’s perspective to improve the effectiveness of Splunk deployments and ensure they’re logging the right data to get the most out of Splunk. 

The NodeZero app for Splunk can automate data pulls from NodeZero APIs which are then ingested into the Splunk Cloud Platform. The app will integrate with the Splunk user experience to help users: 

• Find, fix, and verify logging blind spots
• Decide where to increase and decrease logging based on the criticality of the host
• Take inventory of assets and reconcile the attacker’s perspective of your cyber terrain

Splunk administrators are often under pressure to maximize their license value – it’s often impossible to log everything, so it’s hard to know if they are expending resources appropriately to ensure they’re logging the right data. NodeZero can help identify where logging is most needed, so that the organization’s resources are deployed for maximum impact.

NodeZero maintains an action log of every command it has executed during a pentest. The NodeZero App for Splunk offers insights to identify blind spots in logging and create a fast feedback loop to find, fix, and verify missing data by using the action log to highlight what should have been detected when particular exploits were executed.

Identifying critical hosts: Not all hosts are critical. Some are important enough to log everything, while others may not have access to data or critical systems and thus have less requirements for logging. NodeZero is able to identify risk on specific hosts with context. For Example: A “low” criticality server in the CMDB might have enabled an attack path where NodeZero ultimately achieved Domain Admin – NodeZero would dynamically reclassify this host as CRITICAL risk based on the proven attack path and impact during a pentest operation. It lets organizations leverage the attacker’s perspective provided by NodeZero to inform their Splunk logging strategy.

Revealing “ghost hosts” & shadow IT: NodeZero inventories every reachable host within the organization’s environment during a pentest. This can often easily reveal a blind spot: are all those hosts seen in Splunk Cloud Platform? Often organizations will find hosts they didn’t know existed, were unaware had been added, or even rogue devices that aren’t known to anyone (shadow IT). The app lets users reconcile NodeZero-discovered hosts with existing IT assets in Splunk – marrying the traditional and the attacker’s perspectives to achieve greater insight.

Horizon3.ai is also offering a free trial of the NodeZero App for Splunk.

Horizon3.ai today announced it has extended the capabilities of its NodeZero platform to include external penetration testing. With this enhancement, Horizon3.ai is the first autonomous penetration testing platform to offer organizations both internal and external penetration testing in one self-service platform.

Horizon3.ai’s autonomous penetration testing platform, NodeZero, continuously assesses an enterprise’s internal infrastructure and external attack surface, identifying ways an attacker could chain together harvested credentials, misconfigurations, dangerous product defaults, and exploitable vulnerabilities to compromise systems and data. By extending NodeZero’s capabilities to include both internal and external penetration testing, organizations can now assess all their assets – including on-prem, cloud, and hybrid, from both inside and outside the perimeter.

When you combine the results of an external and internal penetration test, organizations have a true understanding of their cyber risk profile across their entire environment.

NodeZero offers organizations the following benefits:

• Verify if public facing assets open doors to ransomware exposure – Ransomware attacks have become democratized, with criminal groups establishing Ransomware-as-a-Service (RaaS) operations, renting ransomware to recruited affiliates that, in turn, run attacks against organizations and pay a “royalty” to the RaaS providers. With NodeZero, organizations will understand what attack paths ransomware actors can exploit to breach the perimeter, move laterally within the network, and gain access to “crown jewel” data.

• Visualize the risk and impact – See the risk and impact of misconfigured third-party applications and weak or default credentials as an attacker would use them to breach your perimeter. Credential attacks are the fastest growing attack path across the globe, and NodeZero will autonomously and safely attack your public-facing assets so you know where your most critical problems exist.

• Improve asset management and eliminate shadow IT – With NodeZero, organizations can continuously discover their public-facing assets, hybrid cloud assets, and internal assets. NodeZero allows organizations to understand and visualize the true risk these assets pose based on real-world exploitation rather than just theoretical risk.

• Understand third-party and supply chain risks – NodeZero can be run continuously, both internally and externally, providing an immediate understanding of third-party and supply chain risks.

• Save time and resources – Penetration tests can be set up within minutes and executed as often as needed. NodeZero quickly identifies exploitable internal and external attack vectors and ineffective security controls. No extensive tuning, training, or certifications are required, and results are prioritized with proof, so time and resources can be spent fixing only what matters.

• Continuous security assessments – NodeZero is every organization’s purple team partner, orchestrating hundreds of attack tools and techniques across an entire environment to chain attack paths and demonstrate real risk and impact. This isn’t an annual compliance checkbox or a limited snapshot in time. Autonomous penetration tests with NodeZero can be automated and run as often as needed to ensure that blue and red teams can focus and complement each other’s efforts.

Read more about NodeZero’s external pentesting capabilities here.