CVE-2022-31704
published 2023-01-26CVE-2022-31704: The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.01%
99.6th percentile
The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | vrealize_log_insight | 3.0 – 4.8 | — |
| vmware | vrealize_log_insight | >= 8.0.0 < 8.10.2 | 8.10.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for unauthenticated GET requests to /i18n/component/JS?locale=en-US or /api/v1/version returning HTTP 200 with body containing 'logInsight' or 'releaseName":' — used by scanners to fingerprint vulnerable versions. ↗
- →Flag vulnerable vRealize Log Insight instances by extracting the version field from API responses and checking if it falls within >= 3.0 or = 8.0.0 or < 8.10.2. ↗
- →Monitor for abuse of Thrift RPC endpoints (RemotePakDownloadCommand, GetConfigRequest, PakUpgradeCommand) on the vRealize Log Insight appliance, which are leveraged to achieve arbitrary file write and RCE. ↗
- →Monitor for unexpected cron job creation on vRealize Log Insight appliances, as the default exploit payload writes a cron job to establish a reverse shell. ↗
- →Detect IP address spoofing attempts targeting vRealize Log Insight master/worker node IPs, as the exploit requires the attacker to present the same IP as a master/worker node. ↗
- →Alert on specially crafted PAK archive uploads to vRealize Log Insight, which are used to drop a JSP webshell payload under a pre-authenticated API endpoint location. ↗
- ·Exploitation requires the attacker to have network access to the vRealize Log Insight appliance; the product is unlikely to be internet-exposed, meaning attackers likely already have an internal foothold. ↗
- ·CVE-2022-31704 is part of a chain (VMSA-2023-0001) with CVE-2022-31706 (directory traversal) and CVE-2022-31711 (information disclosure); all three must be considered together for full RCE impact assessment. ↗
- ·CVE-2023-34051 is a bypass for the original VMSA-2023-0001 exploit chain; patching CVE-2022-31704 alone may not be sufficient if CVE-2023-34051 is unaddressed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware vRealize Log Insight latest updates address multiple security vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, CVE-2022-31711)
vendor_vmware·2023-01-24·CVSS 9.8
CVE-2022-31704 [CRITICAL] VMware vRealize Log Insight latest updates address multiple security vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, CVE-2022-31711)
VMSA-2023-0001: VMware vRealize Log Insight latest updates address multiple security vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, CVE-2022-31711)
The vRealize Log Insight contains a Directory Traversal Vulnerability. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.
CVEs: CVE-2022-31704, CVE-2022-31706, CVE-2022-31710, CVE-2022-31711
Affected products: VMware Aria, VMware Cloud Foundation, VMware vRealize
GHSA
GHSA-x63f-7pqq-c59r: The vRealize Log Insight contains a broken access control vulnerability
ghsa_unreviewed·2023-01-26
CVE-2022-31704 [CRITICAL] CWE-284 GHSA-x63f-7pqq-c59r: The vRealize Log Insight contains a broken access control vulnerability
The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution.
VulnCheck
VMware vRealize Remote Code Execution
vulncheck·2022·CVSS 9.8
CVE-2022-31704 [CRITICAL] VMware vRealize Remote Code Execution
VMware vRealize Remote Code Execution
The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution.
Affected: VMware vrealize_log_insight
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://25491742.fs1.hubspotusercontent-eu1.net/hubfs/25491742/WAZAWAKA_TLPCLEAR_Report.pdf
Exploit PoC: https://vulncheck.com/xdb/ffec95a134cd
No detection rules found.
Nuclei
VMware vRealize Log Insight - Improper Access Control to RCE
nuclei·CVSS 9.8
CVE-2022-31704 [CRITICAL] VMware vRealize Log Insight - Improper Access Control to RCE
VMware vRealize Log Insight - Improper Access Control to RCE
The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution.
Template:
id: CVE-2022-31704
info:
name: VMware vRealize Log Insight - Improper Access Control to RCE
author: ritikchaddha
severity: critical
description: |
The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution.
impact: |
Successful exploitation allows a remote, unauthenticated attacker to inject and execute malicious code on the target applian
Metasploit
VMware vRealize Log Insight Unauthenticated RCE
metasploit
VMware vRealize Log Insight Unauthenticated RCE
VMware vRealize Log Insight Unauthenticated RCE
VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as directory traversal, broken access control, deserialization, and information disclosure. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. This module achieves code execution via triggering a `RemotePakDownloadCommand` command via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest` thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the specially crafted PAK archive, which then will place the JSP payload under a certain API endpoint (pre-authenticated) location upon
http://packetstormsecurity.com/files/174606/VMware-vRealize-Log-Insight-Unauthenticated-Remote-Code-Execution.htmlhttps://www.vmware.com/security/advisories/VMSA-2023-0001.htmlhttp://packetstormsecurity.com/files/174606/VMware-vRealize-Log-Insight-Unauthenticated-Remote-Code-Execution.htmlhttps://www.vmware.com/security/advisories/VMSA-2023-0001.htmlhttps://packetstorm.news/files/id/174606
2023-01-26
Published
Exploited in the wild