VMware fixes vRealize bug that let attackers run code as root

VMware addressed a critical vRealize Log Insight security vulnerability that allows remote attackers to gain remote execution on vulnerable appliances.

Now known as , this log analysis tool helps manage terabytes worth of application and infrastructure logs in large-scale environments.

The bug (tracked as CVE-2023-20864) is described as a deserialization vulnerability that can be abused to run arbitrary code as root on compromised systems.

CVE-2023-20864 can be exploited remotely by unauthenticated threat actors in low-complexity attacks that don’t require user interaction.

Today, VMware also released security updates for a second security flaw (tracked as CVE-2023-20865) that enables remote attackers with administrative privileges to execute arbitrary commands as root.

Both vulnerabilities were addressed with the release of . There is no evidence that these security bugs were exploited in the wild before being patched.

“CVE-2023-20864 is a critical issue and should be patched immediately as per the instructions in the advisory. It needs to be highlighted that only version 8.10.2 is impacted by this vulnerability (CVE-2023-20864),” VMware .

“Other versions VMware Aria Operations for Logs (formerly vRealize Log Insight) are impacted by CVE-2023-20865 but this has a lower CVSSv3 score of 7.2.”

Two other critical vRealize bugs patched in January

In January, the company addressed  (CVE-2022-31706 and CVE-2022-31704) affecting the same product and allowing remote code execution, as well as flaws that could be exploited for information theft (CVE-2022-31711) and denial of service attacks (CVE-2022-31710).

One week later, security researchers with Horizon3’s Attack Team  to chain three of the four bugs to help attackers execute code remotely as root on compromised VMware vRealize appliances.

While just a few dozen VMware vRealize instances are exposed online, this is to be expected since such appliances are designed only to be accessed from inside organizations’ networks.

However, it’s not uncommon for attackers to exploit vulnerabilities affecting devices in already compromised networks, making properly configured yet vulnerable VMware appliances valuable internal targets.