Security
Headlines
HeadlinesLatestCVEs

Headline

VMWare patches RCE exploit in NSX Manager

Bug fixed despite product reaching end of life

PortSwigger
#vulnerability#ios#mac#java#rce#vmware#auth#jira

Bug fixed despite product reaching end of life

VMWare has patched a critical vulnerability in the management service for NSX, its network virtualization and security platform.

The vulnerability, caused by an old deserialization bug in an outdated Java library, could be abused to achieve pre-authentication remote code execution (RCE) on the host computer.

Due to the bug’s criticality, VMWare issued a patch despite the product having reached end-of-life status. The vulnerability is a reminder of the security challenges of managing open source software dependencies.

Deserialization bugs

Discovered and documented by security researcher Sina Kheirkhah, the main culprit in the VMWare NSX Manager flaw was XStream, a library for converting Java objects to XML format and vice versa (aka marshalling/unmarshalling).

XStream supports the marshalling and unmarshalling of a wide range of Java objects, even those that don’t support the Serializable interface.

This has made XStream an attractive launchpad for various code injection attacks. Security researcher Alvaro Muñoz documented RCE attacks with XStream in 2013, research that greatly helped Kheirkhah in discovering the VMWare vulnerability.

To go from unmarshalling to code execution on the host machine, the attacker would have to hook several Java features including dynamic proxies, event handlers, and method closure. This allowed the attacker to instantiate the class and invoke the method that runs commands on the system.

Exploit on VMWare NSX Manager

Versions of XStream up to 1.4.18 are vulnerable to this kind of deserialization attack. Kheirkhah discovered that VMWare NSX Manager used v1.4.18. The next step was to find an endpoint that could allow him to exploit the vulnerability.

“Java is very wild and there are so many scenarios that something can go wrong and end up in RCE on a popular appliance/software,” Kheirkhah told The Daily Swig. “I spent weeks studying how this certain VMWare product works which, eventually after spending so much time, it led to me to the discovery of the vulnerability.”

Kheirkhah first found an endpoint through which he could exploit the bug on NSX Manager. However, this endpoint required authenticated access.

With the help of security researcher Steven Seeley, Kheirkhah was able to access XStream through the password reset endpoint, which led to pre-authentication RCE on the NSX Manager host.

“This vulnerability allowed unauthenticated remote code execution as the root user on the target VMWare product,” Kheirkhah said.

Kheirkhah posted a proof of concept that shows how an attacker could gain shell access to the NSX Manager server.

Lessons learned

Even though the product had reached its end of life, VMWare patched it because it evaluated the severity of the bug to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

“While VMware does not mention end-of-life products on VMware Security Advisories, due to the critical severity of NSX-V the product team has made a patch available,” VMWare stated in an advisory.

“Deserialization vulnerabilities have been around for many years and will never go away,” Kheirkhah said.

“Even today you can notice how many new serialization libraries are getting introduced every day and how talented researchers are analyzing the security of these libraries and how it’s possible to abuse the deserialization process.”

Kheirkhah also underlined the importance of carefully handling the dependency chain of open source software. “Keeping track of dependencies and making sure they’re up to date is vital for securing your software,” he stressed.

The Daily Swig has reached out to VMWare for comments. We will update this post if we hear back from them.

YOU MAY ALSO LIKE Jira Align flaws enabled malicious users to gain super admin privileges – and potentially worse

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig