The Wallarm Detect team has found exploit attempts in the wild of CVE-2022-31678 and CVE-2021-39144. The original vulnerabilities were found in VMware NSX Manager at the end of last year, and can lead to remote code execution (RCE) by pre-authenticated attackers. The CVE-2022-31678 vulnerability was found in VMware NSX Manager and exposes software to XXE (XML External Entity Injection) attacks; when combined with the CVE-2021-39144 vulnerability, which impacts the 3rd party library XStream, this can lead to high impact attacks. In this article, we will explore these vulnerabilities, the mechanisms behind them, and the impact they can have on businesses.

Introduction

The Wallarm Detect team is constantly hunting for vulnerabilities in software systems to ensure that businesses are protected from attacks. Recently, the team found attempts to exploit two vulnerabilities in VMware NSX Manager which allowed pre-authenticated attackers to execute code remotely. These vulnerabilities are still being actively exploited by attackers, and the Wallarm Web Application and API  Protection (WAAP) capability is able to block them before any significant damage occurs.

What is VMware NSX Manager?

VMware NSX Manager is a software system used for network virtualization and security. It provides a centralized management platform for configuring and monitoring network virtualization and security components. Companies that use VMware NSX Manager typically require a high level of security for their network infrastructure. This includes businesses in the financial sector, healthcare, retail / ecommerce, and government agencies.

The Vulnerabilities

One of the exploitable vulnerabilities impacting VMware NSX Manager is tracked as CVE-2022-31678 (CVSS v3.x Base Score: 9.1, Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), published on 2022-Oct-27. The other is CVE-2021-39144 (CVSS v3.x Base Score: 8.5, Vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), a deserialization vulnerability in XStream <= 1.4.18. VMware NSX Manager uses the package xstream-1.4.18.jar, which makes it vulnerable to this deserialization vulnerability. All that is required to trigger the vulnerability is to find an endpoint that is reachable from an unauthenticated context. The original post with details of exploitation was published by Sina Kheirkhah on 2022-Oct-25.

Exploitation Details

The Wallarm Detect team hunts and analyzes dozens of vulnerabilities every day, and this one is particularly interesting because it was exploited over 40 thousand times over the last 2 months. Active exploitation started on 2022-Dec-08 and keeps going. Attackers are scanning from well-known data centers like Linode and Digital Ocean – over 90% of the attacks are coming from their IP addresses. 

We saw the peak in scanning attempts occur in late December, when Wallarm was blocking an average of almost 1,750 per day and a maximum of over 4,600 attacks per day. The current rate is about 500 attempts per day – meaning these vulnerabilities are still a threat.

If successfully exploited, the impact of these vulnerabilities could be catastrophic, allowing attackers to execute arbitrary code, steal data, and/or take control of the network infrastructure.

How to Protect Your VMware NSX Manager