Flaw Allows Unauthorized Users to Send Specially Crafted Requests
Security firm Positive Technologies says more than 6,000 VMware vCenter devices worldwide that are accessible via the internet contain a critical remote code execution vulnerability. VMware has issued recommendations for patching the flaw.
The vulnerability, CVE-2021-21972, carries a CVSS v3 score of 9.8, which makes it extremely critical. If exploited, it enables hackers to execute arbitrary commands to compromise the vCenter Server and potentially gain access to sensitive data.
The flaw is found in vSphere Client (HTML5), a plugin of VMware vCenter, which usually acts as an administrative interface to access VMware hosts installed on large enterprises’ network workstations. This interface lets administrators create and manage virtual machines as well as host resources.
The Risk Involved
Positive Technologies researcher Mikhail Klyuchnikov says that by exploiting the flaw, an unauthorized user could send a specially crafted request that will ultimately give them the opportunity to execute arbitrary commands on the server.
“After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network and gain access to the data stored in the attacked system (such as information about virtual machines and system users),” Klyuchnikov says. “If the vulnerable software can be accessed from the internet, this will allow an external attacker to penetrate the company’s external perimeter and also gain access to sensitive data. … This vulnerability is dangerous, as it can be used by any unauthorized user.”
Javvad Malik, security awareness advocate at the security firm KnowBe4, says organizations should prioritize patching any VMware vCenter devices.
“Whenever such a vulnerability is exposed, many organizations find themselves trying to build the inventory of where they have instances of impacted software,” he says. “That’s why it’s important that asset inventories are compiled on an ongoing basis and in advance of an issue. However, with many people working remotely, this can prove challenging for many organizations, and it could be that criminals will be trying to exploit this vulnerability for months to come.”
Where Vulnerable Devices Are Located
Out of more than 6,000 VMware vCenter devices worldwide that are accessible via the internet and contain this vulnerability, 26% are located in the United States, with the rest in Germany, France, China, Great Britain, Canada, Russia, Taiwan, Iran and Italy, Positive Technologies says.
Researchers at the security firm report, however, that the main threat for exploiting this vulnerability comes from insiders or others who have penetrated the protection of the network perimeter using other methods, such as social engineering or web vulnerabilities, or have access to the internal network using previously installed backdoors.
In August 2020, Positive Technologies published research into external pentests and managed to get inside the network perimeter and gain access to local network resources in 93% of companies.
“Despite the fact that more than 90% of VMware vCenter devices are located entirely inside the perimeter – as estimated by Positive Technologies analytics – some of them are accessible remotely,” researchers note.
Another VMware vCenter Server vulnerability discovered by Positive Technologies, CVE-2021-21973, allows unauthorized users to send a POST request to the vCenter Server plug-in leading to information disclosure. This could help a hacker to develop further attacks and enable them to scan a company’s internal network and obtain information about the open ports of various services.
Positive Technologies recommends installing updates from VMware and removing vCenter Server interfaces from the perimeter of organizations, allocating them to a separate VLAN with a limited access list in the internal network.
Boris Cipot, senior security engineer at the security firm Synopsys, notes: “Even as companies like VMware ensure they’re delivering secure and safe software to their customers, vulnerabilities are still likely to emerge after its release,” Cipot says. “Acting quickly and providing the patch for their customers is commendable.”
Earlier this month, Positive Technologies researcher Egor Dimitrenko discovered a high-severity vulnerability in the VMware vSphere Replication tool.
The bug, if exploited, enabled attackers with access to the tool’s administration web interface to execute arbitrary code on the server with maximum privileges and start lateral movement on the network to seize control of the corporate infrastructure.
In December 2020, the U.S. National Security Agency warned that Russian state-sponsored threat actors were attempting to exploit a known vulnerability in several VMware products (see: NSA: Russian Hackers Exploiting VMware Vulnerability).