Compliance Impact

The vulnerability allows unauthenticated attackers on the local area network to write arbitrary files and potentially execute unauthorized code with elevated privileges. This could lead to manipulation of configuration files, persistent code execution, and credential exfiltration.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on data integrity, confidentiality, and system security.

Specifically, the risk of credential exfiltration and unauthorized code execution could lead to breaches of sensitive personal or health information, violating regulatory requirements for protecting such data.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a path traversal flaw in the assisted-migration-agent's VDDK tarball extraction process. An unauthenticated attacker on the same local area network (LAN) can craft a malicious gzipped tarball containing symbolic links (symlinks) that bypass the existing security checks. These symlinks allow the attacker to write arbitrary files outside the intended extraction directory by exploiting weaknesses in the path validation logic.

The vulnerability arises because the extraction function relies on lexical path checks that do not resolve symlinks properly, enabling chained symlink attacks. This can lead to unauthorized file writes as the user ID 1001, potentially overwriting critical system files or configuration files.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can have severe impacts, including arbitrary file writes on the system running the assisted-migration-agent. This can lead to manipulation of configuration files, persistent unauthorized code execution, and credential exfiltration.

Since the agent runs with vCenter admin privileges, an attacker could potentially gain full system compromise, resulting in loss of confidentiality, integrity, and availability of the affected appliance.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious tarball uploads or extraction activities on the assisted-migration-agent, specifically targeting the PUT /inspector/vddk endpoint which processes gzipped tarballs.

Since the vulnerability exploits path traversal via crafted symlinks inside tarballs, you can detect attempts by inspecting tarball contents for unusual or suspicious symlinks that point outside the intended extraction directory.

Suggested commands include extracting and inspecting tarballs manually or via scripts to look for symlinks that could lead to path traversal:

• Use tar to list contents and identify symlinks: tar -tvf suspicious.tar.gz
• Extract tarball in a safe directory and check for symlinks pointing outside: tar -xvzf suspicious.tar.gz -C /tmp/safe_dir && find /tmp/safe_dir -type l -exec ls -l {} \;
• Check logs or network traffic for unusual PUT requests to /inspector/vddk endpoint carrying tarballs.

Additionally, monitoring file writes by UID 1001 (the user under which the agent runs) to sensitive paths like /var/lib/agent/config or /app/.cache may indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the patch that fixes the path traversal vulnerability by implementing symlink resolution checks before file creation.

The patch ensures that the resolved parent directories of extracted files remain within the intended destination directory, preventing arbitrary file writes outside the extraction path.

Until the patch is applied, restrict access to the assisted-migration-agent's PUT /inspector/vddk endpoint to trusted LAN clients only, as the vulnerability requires LAN adjacency.

Monitor and audit any tarball uploads and extraction activities for suspicious patterns or unexpected file writes.

If possible, run the agent with least privilege and avoid running it with vCenter admin privileges to limit the impact of potential exploitation.

Useful 0 Not Useful 0