VMware Privileged Guest Operations Vulnerability

16/06/2023

This article aims to explain and raise awareness about the compromised hypervisor virtualization environment attack patterns, consequences and potential harm of them, CVSS vulnerabilities, and precautions against these vulnerabilities of the ‘’privileged guest’’ operations conducted by the Chinese agents. Therefore, it is strongly advised to take necessary measures for safety and protection about the concerned types of attack.

To begin with, it is important to mention that the Chinese agent group "UNC3886" adopts the method of attacking platforms that are either not supported by EDR (Endpoint Detection and Response) or EDR incompatible in order to avoid EDR solutions which strengthens the detection methods on endpoint devices. Thus, the members of this agent group prefer attack methods that focus on ESXI, Vsphere and guest hosts on it.

The group aims to reduce the risk of getting caught by altering static structures such as hashes and file names despite the posting of static IOC’s (Indicator of Compromise). Because of this reason, the document which is formed instead of IOC contains the patterns of IOA (Indicator of Attack).

Impacts:

Retrieving id information from vPostgreSQL database that operates at the background of Vcenter Server Appliance.

Running authorised commands on Windows, Linux ve PhotonOS guest VMs by exploiting CVE-2023-20867 vulnerability.

Leaving backdoors on ESXI hosts through sockets.

Prolonging the time period of stay-inside and lateral movement.

Steps of Attack:

Attacker gains privileged access on Vcenter

Attacker retrieves ‘’vpxuser’’ ID Information on Vcenter

Accessing to the ESXI Hosts with the retrieved user information

Deployment of malicious VIB (vSphere Installation Bundle) on ESXI Host

Installing backdoors by using VIRTUALPITA and VIRTUALPIE

Running unauthenticated commands on the guest VM’s by using the compromised ESXI Hosts indicated on vulnerability with CVE-2023-20867.

Patterns of running commands with vpxuser on the desired ESXI host and on guest VMs located on it:

The scripts in use are used to discover and enumerate the located ESXI servers and the Guest Virtual Machines connected to these servers;

Acquiring User information that is located on the ESXI host in plain text format

Discovery of all ESXI hosts and all VMs that are connected to the hosts.

Adding or removing of allowed IP address lists for a specific service (Default sshServer) on all connected ESXI.

‘’Vpxuser’’ id information is critically important in the process of carrying attcaks. Vpxuser ESXI Host is an authorised service account which is automatically created and whose password changes automatically within 30-days time period.

When the vcenter server wants to perform authorized operations, it uses the mentioned service account;

To change VM ESXI Host,

To change VM configurations etc.

It is possible to achieve the ID information by exploiting CVE-2022-22948 vulnerability despite Vpxuser is kept encrypted normally.

APIs located on exposed ESXi hosts, run on VMs and called for VM-run commands;

Managed Object	Methods	Description
GuestAliasManager	AddGuestAlias	define alias for guest account
	ListGuestAliases	list guest aliases for specified user
	ListGuestMappedAliases	list alias map for in-guest user
	RemoveGuestAliasByCert	remove certificate associated aliases
GuestAuthManager	AcquireCredentialsInGuest	authenticate, return session object
	ReleaseCredentialsInGuest	release session object
	ValidateCredentialsInGuest	check authentication data or timeout
GuestFileManager	ChangeFileAttributesInGuest	change attributes of file in guest
	CreateTemporaryDirectoryInGuest	make a temporary directory
	CreateTemporaryFileInGuest	create a temporary file
	DeleteDirectoryInGuest	remote directory in guest OS
	DeleteFileInGuest	remove file in guest OS
	InitiateFileTransferFromGuest	start file transfer from guest OS
	InitiateFileTransferToGuest	start file transfer to guest OS
	ListFilesInGuest	list files or directories in guest
	MakeDirectoryInGuest	make a directory in guest
	MoveDirectoryInGuest	move or rename a directory in guest
	MoveFileInGuest	rename a file in guest
GuestWindowsRegistryManager	CreateRegistry KeyInGuest	create a registry key
	DeleteRegistryKeyInGuest	delete a registry key
	DeleteRegistryValueInGuest	delete a registry value
	ListReeistryKeysInGuest	list registry subkeys for a given key
	ListRegistryValuesInGuest	list registry values for a given key
	SetRegistryValueInGuest	set or create a registry value
GuestProcessManager	ListProcessesInGuest	list processes running in guest OS
	ReadEnvironmentVariableInGuest	read environment variable in guest
	StartProgramInGuest	start running program in guest
	TerminateProcessInGuest	stop a running process in guest

Mitigation:

VMware recommends the update of vulnerability (CVE-2023-20862) that enables remote code execution on Vmware tools and make the necessary consolidations in virtualization environments within the documentation they have published;
https://core.vmware.com/vmware-vsphere-8-security-configuration-guide#use-your-head

The vulnerability that causes the encrypted "vpxuser" credentials to be obtained in clear text format (Vmware vCenter Server 6.5/6.7/.70 versions) and the vulnerability with CVE-2022-22948 are affected.

Affected Version	Fixed Version
6.5	6.5 U3r
6.7	6.7 U3p
7.0	7.0 U3d

It is recommentded to patch the affected versions if there are Vcenter in the versions specified, in the virtualization environment.

Share on Social Media

Facebook

Twitter

Linkedin