Remember how Log4j ruined Christmas at the end of 2021? Well here’s another major logging software vulnerability to darken your Spring day: This time it’s CVE-2023-20864, which a security hole in VMWare’s Aria Operations for Logs—otherwise known as AOfL and previously known as vRealize Log Insight.
The Common Vulnerabilities Scoring System (CVSS), or “security risk,” score for this vulnerability is 9.8. With a maximum possible score of 10, that’s about as bad as it realistically gets.
The reason for this high score is due to its use as a remote code execution (RCE) attack, by which even individuals who have not yet logged in or do not even have account can execute code on the AOfL system.
RCE is the same type of exploit as is seen in Log4Shell—which takes advantage of Log4j’s vulnerability—so a remote attacker can send over what the designers of the software expected to be normal data, but the system interprets it as programmatic commands.
The silver lining about this issue, is that in order to exploit it the AOfL system has to be exposed—outside of a firewall or other tool’s protection—which most aren’t until an attacker is somewhere inside the network. That still means that an attacker with a foothold in the network can take advantage of the vulnerability to expand the intrusion and possibly escalate privileges to an admin account.
If you don’t use AOfL or VMware you may be asking, “Why do I need to worry?”
This is yet another example of how multiple flaws likely exist across all software in use in your organization. They just haven’t been identified by those who want to help the “good guys.”
A defense-in-depth strategy is necessary for a security program to effectively protect an organization from these unknown holes in its defenses. Different layers of access control, correlation between different types of monitoring solutions, and 24x7x365 detection and response, are all parts of the required defense in depth.
We’re also now seeing attackers scanning for vulnerabilities within 15 minutes of the release of official announcements of vulnerabilities. Organizations can no longer wait weeks to patch critical- and high-risk vulnerabilities.
Your organization needs both an agile patch management/mitigation strategy and an effective defense in depth approach to security.
Webcheck Security’s expert virtual Chief Information Security Officers (vCISOs) can provide just the sort of help you need in assessing the effectiveness of your security. One can even become your dedicated as-needed CISO if you want to save the money you’d spend on hiring a full-time CISO. Contact Webcheck today to discuss your objectives and needs in this area.