Background / What has happened?
The ACSC has identified three previously unreported vulnerabilities in VMware Hyperic Server and VMware Hyperic Agent.
- CVE-2022-38650: A remote unauthenticated insecure deserialisation vulnerability in VMWare Hyperic Server. Exploitation of this vulnerability enables a malicious party to run arbitrary code or malware within Hyperic Server and the host operating system with the privileges of the Hyperic server process.
- CVE-2022-38651: A security filter misconfiguration in VMWare Hyperic Server. Exploitation of this vulnerability enables a malicious party to bypass some authentication requirements when issuing requests to Hyperic Server.
- CVE-2022-38652: A remote post-authentication insecure deserialisation vulnerability in VMWare Hyperic Agent. Exploitation of this vulnerability enables a malicious party to run arbitrary code or malware within a Hyperic Agent instance and its host operating system with the privileges of the Hyperic Agent process (often SYSTEM on Windows platforms). While this vulnerability is post-authentication, prior exploitation of CVE-2022-38650 results in the disclosure of the authentication material required to exploit this vulnerability.
The combined impact of these vulnerabilities is that an unauthenticated malicious party, with network connectivity to Hyperic Server, is able to execute arbitrary code or malware within Hyperic Server and on any connected Hyperic Agent installations (often with SYSTEM privileges). Hyperic Server is commonly configured to communicate with other VMWare services and authentication providers (Active Directory, LDAP). It is possible that credentials to these services may be compromised following exploitation of Hyperic Server, resulting in further exploitation of an organisation's virtualisation and directory services.
Mitigation / How do I stay secure?
The ACSC understands that VMware Hyperic has reached End of General Support/End of Life (EOL), further updates or patches to address the vulnerabilities identified in this advisory will not be released. VMWare recommends customers upgrade to more recent suites of their products that do not include Hyperic Server.
The ACSC recommends that VMWare Hyperic Server and VMWare Hyperic Agent installations be removed from affected networks.
As the product must be reachable via the network from any monitored hosts, the ACSC does not believe restricting network connectivity to Hyperic Server to be an effective mitigation.