Snippet 2 powershell -c $path=gwmi win32_service|?|Set-Content $path Restart-Service -Force VMBlastSG This script is decoded from a malicious Java class downloaded and executed after successful exploitation of the CVE-2021-44228 (also known as log4shell):
ReplyError(req, res, 400, ()) īackdoor insertion is performed through a Powershell script. (String(req.url).includes('lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbb')) The backdoor is waiting for a specific string in the HTTP request to decode a base64-encoded payload and possibly execute it under the “replyError” function: Specifically, the actor installed a backdoor in a Javascript library that is part of the Blast Secure Gateway: \Program Files\VMWare\VMWare View\Server\appblastgateway\lib\absg-worker.js
The investigation is still ongoing, but we already have evidence of malicious activities that you can look for in your systems. Vulnerable (only if HTML Access portal is installed) but are out of support and should be updated with a supported version. Vulnerable (only if HTML Access portal is installed) and should be updated to 7.10.3 Build 17056980 (release date ) is vulnerable to both (only if the HTML Access portal is installed). Vulnerable (only if HTML Access portal is installed) and should be updated to 7.13.1.īuild 19069415 (release date ) is not vulnerable. Build 18057992 (release date ) is vulnerable to both (only if the HTML Access portal is installed).
worker.jsīuild 19069458 (release date ) is not vulnerable. Vulnerable (only if HTML Access portal is installed) and should be updated to 2111. Manual Mitigation for Horizon Connection Server Scripted Mitigation for Horizon Connection Server, Agent for Windows, HTML Access portal Build 18964782 (release date ) is vulnerable to both (only if the HTML Access portal is installed). Build 19052438 (release date ) is vulnerable to CVE-2021-45046 (only if the HTML Access portal is installed). Here’s a table where you can verify if your VMWare Horizon is vulnerable to CVE-2021-44228 and CVE-2021-45046: Versionīuild 19067837 (release date ) is not vulnerable. If you don’t have VMWare Horizon in your organization, you can ignore this advisory. This component, when enabled, allows clients to access remote desktops and applications from the Internet. We analyzed a successful exploitation of the “Log4shell” vulnerability CVE-2021-44228 on a VMWare Horizon component: Blast Secure Gateway. Your organization can be penetrated and hacked at any time. If you have VMWare Horizon in your organization, this message may be very important for you to secure your IT infrastructure.
0 kommentar(er)
