CVE-2023-20864: Deserialization vulnerability in VMware Aria Operations for Logs (previously VMware vRealize Log Insight)

CVE-2023-20864: Deserialization vulnerability in VMware Aria Operations for Logs (previously VMware vRealize Log Insight)

·

2 min read

Summary of report

HSCT Threat Intelligence has received information about the CVE-2023-20864 vulnerability (REMOTE CODE EXECUTION IN VMWARE ARIA OPERATIONS FOR LOGS) from the website: https://www.zerodayinitiative.com/blog/2023/6/29/cve-2023-20864-remote-code-execution-in-vmware-aria-operations-for-logs, Critical level vulnerability related to deserialization flaws in VMware Aria Operations for Logs (previously VMware vRealize Log Insight). Successful exploitation of this vulnerability allows an unauthenticated attacker to remotely access VMware Aria Operations for Logs over the network and execute arbitrary code (RCE) with root privileges. Our team has conducted research and provided additional analysis on the exploitation methods of this code flaw.

Detailed analysis information

Based on the information from ZDI, the vulnerability is present in the API running on ports 9000/TCP (HTTP) and 9543/TCP (HTTPS), specifically in the following three APIs within /usr/lib/loginsight/application/lib/api-play-service_2.13-1.0.jar!routes:

POST /api/v2/internal/cluster/applyMembership

controllers.InternalClusterController.applyMembership(request: play.mvc.Http.Request)

POST /api/v2/internal/cluster/setToken

controllers.InternalClusterController.setToken(request: play.mvc.Http.Request)

POST /api/v2/internal/cluster/approveMembership

controllers.InternalClusterController.approveMembership(request: play.mvc.Http.Request)

From the source code, it can be observed that these three APIs directly receive data from the request body and perform deserialization using SerializationUtils from common-lang3 without any verification steps, leading to the deserialization of untrusted data

Deserialize function in org.apache.commons.lang3.SerializationUtils

At this point, the next step is to find a suitable gadget chain.

After conducting server reconnaissance and locating the .jar files used by the process, it was found that the API service's libraries are located in /usr/lib/loginsight/application/lib, along with some libraries in /usr/lib/loginsight/application/lib/lib

After extracting and analyzing all the libraries, it was found that the scala-library-2.13.5 library exists, which is known to have a gadget chain that allows for content deletion, opening connections, or code execution.(https://www.suse.com/security/cve/CVE-2022-36944.html)

Proof Of Concept

  • A test.txt file was created with the content "qwerty"

  • An HTTP POST request was made to the URI: /api/v2/internal/cluster/setToken with the request body containing the serialized object

  • The payload is designed to delete the content within the test.txt file. The content was successfully deleted. It is entirely possible to develop a payload with the intent of achieving RCE during the exploitation process.

Credit: vtgsxx and Tu Le from HSCT