Log4Shell: VMware observes too many unpatched Horizon servers
VMware’s Horizon desktop and application virtualization servers are targeted by attacks exploiting vulnerabilities in Apache’s Log4j logging library. The publisher urges companies to urgently apply its patches.
Faced with the Log4j tornado, CIOs are combing through their applications and services to close the loopholes related to this Apache logging library for Java environments. But publishers also have a lot of work to do to fill the security holes in their solutions, as is the case recently for VMware. The virtualization specialist has thus corrected vulnerabilities to avoid Log4Shell exploits in its application virtualization product and Horizon workstations. However, the message is far from having been received 5/5 by companies.
The situation is indeed alarming to say the least: according to a latest report from NHS Digital, attackers are specifically targeting VMware Horizon servers to install web shells. To fight against ongoing exploits and the installation of malicious scripts leading to a whole host of attacks (data exfiltration, deployment of ransomware, etc.). The NHS is not the only one to have warned of the danger, it is also the case of Microsoft which warned that a Chinese cybergang (DEV-0401) had managed to deploy the Night Sky ransomware on Horizon servers exposed on the Internet . A quick look at Shodan shows that there are still more than 24,000 VMware Horizon servers that are still vulnerable.
Urgently apply fixes from VMSA bulletin 2021-0028
“Even with VMware’s security alerts and continued efforts to contact customers directly, we continue to see some companies not updating,” said Kerry Tuttle, VMware communications director. “Customers who have not applied the patch or latest workaround provided in VMware’s security advisory are at risk of being compromised – or may have already been compromised – by threat actors exploiting the Apache vulnerability. Log4shell to actively compromise unpatched access to the Internet. Horizon environments”.
To guard against Log4Shell exploits on Horizon servers, it is therefore imperative to apply the patches of VMware’s VMSA 2021-0028 security bulletin, published for the first time on December 10 and since then regularly updated. CVE-2021-44228 and CVE-2021-45046 affect Horizon (8.x and 7.x), DaaS (9.1.x and 9.0.x), Cloud Connector (1.x and 2.x), and Agents Installer ( 21.xx and 20.xx).
VMware is of course not the only publisher affected by vulnerabilities linked to Log4j, this is the case for almost all suppliers on the planet: Adobe, Amazon, Atlassian, Broadcom, Cisco, Citrix, Debian, Docker, FortiGuard, F-Secure, IBM, Juniper Networks, McAfee, Microsoft, MongoDB, Okta, Oracle, Red Hat, SolarWinds, SonicWall, Sophos, Splunk, Trend Micro, Ubuntu, Zoho, Zscaler…