VMware Patches 2 Flaws in vRealize Operations

Governance & Risk Management
IT Risk Management
Patch Management

If Exploited, Flaws Could Open Door to Theft of Admin Credentials

VMware Patches 2 Flaws in vRealize Operations

VMware has issued patches for two critical vulnerabilities in its IT operations management platform, vRealize Operations, which, if exploited, could allow attackers to steal administrative credentials.

See Also: The Cyberark Blueprint for Prvileged Access Management Success Rapid Risk Reduction Playbook

The platform is designed to offer self-driving IT operations management for private, hybrid and multi-cloud environments in a unified platform powered by artificial intelligence.

VMware issued patches on Tuesday for the flaws CVE-2021-21975, which has a CVSS ranking of 8.6, and CVE-2021-21983, which has a CVSSv3 base score of 7.2.

Egor Dimitrenko of Positive Technologies discovered these vulnerabilities and reported them to VMware.

If the two vulnerabilities are chained together, they could enable an attacker to conduct remote code execution in vRealize Operations, Positive Technologies reports.

VMWare did not respond to a request for comment.

Lewis Jones, threat intelligence analyst at Talion, says the successful exploit of these vulnerabilities could enable the theft of administrative credentials via remote access.

“Users of VMware are advised to apply the security updates swiftly, but VMware has provided a workaround for users unable to do so,” Jones says. “To work around this issue, you will have to remove a configuration line from the casa-security-context.xml file and restart the CaSA service on the affected device.”

Exploit Risk

The vulnerability tracked as CVE-2021-21975 in the vRealize Operations Manager API contains a Server Side Request Forgery. That means an attacker could abuse the functionality of a server, causing it to access or manipulate information that would otherwise not be directly accessible to the attacker.

Satnam Narang, staff research engineer at the security firm Tenable, says an unauthenticated remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable vROps Manager API endpoint.

The other flaw, CVE-2021-21983, is an arbitrary file write vulnerability in the VROps Manager API that could be exploited to write files to the underlying operating system.

“This vulnerability is post-authentication, meaning an attacker needs to be authenticated with administrative credentials in order to exploit this flaw,” Narang says. “If attackers chain both CVE-2021-21975 and CVE-2021-21983 together, they could also gain remote code execution privileges.”

VMware has provided patches for both flaws across vROps Manager versions 7.5.0 through 8.3.0.

Other VMware Issues

Earlier in March, VMware issued patches for a critical vulnerability in its virtual desktop deployment platform, View Planner. The vulnerability, CVE-2021-21978, was caused by improper input validation and lack of authorization, resulting in arbitrary file upload in VMware’s View Planner web application (see: VMware Patches Vulnerability on View Planner).

In February, Positive Technologies noted that more than 6,000 VMware vCenter devices worldwide were susceptible to a critical remote code execution vulnerability. VMware issued recommendations for patching the flaw (see: 6,000 VMware vCenter Devices Vulnerable to Remote Attacks).

In December 2020, the U.S. National Security Agency warned that Russian state-sponsored threat actors were attempting to exploit a vulnerability in several VMware products (see: NSA: Russian Hackers Exploiting VMware Vulnerability).

Similar Posts