If Exploited, Flaws Could Open Door to Theft of Admin Credentials
VMware has issued patches for two critical vulnerabilities in its IT operations management platform, vRealize Operations, which, if exploited, could allow attackers to steal administrative credentials.
The platform is designed to offer self-driving IT operations management for private, hybrid and multi-cloud environments in a unified platform powered by artificial intelligence.
Egor Dimitrenko of Positive Technologies discovered these vulnerabilities and reported them to VMware.
If the two vulnerabilities are chained together, they could enable an attacker to conduct remote code execution in vRealize Operations, Positive Technologies reports.
VMWare did not respond to a request for comment.
VMware fixed CVE-2021-21975 and CVE-2021-21983, which when chained together lead to an unauth RCE in vRealize Operations.
The vulnerabilities were found by our researcher Egor Dimitrenko.
— PT SWARM (@ptswarm) March 30, 2021
Lewis Jones, threat intelligence analyst at Talion, says the successful exploit of these vulnerabilities could enable the theft of administrative credentials via remote access.
“Users of VMware are advised to apply the security updates swiftly, but VMware has provided a workaround for users unable to do so,” Jones says. “To work around this issue, you will have to remove a configuration line from the casa-security-context.xml file and restart the CaSA service on the affected device.”
The vulnerability tracked as CVE-2021-21975 in the vRealize Operations Manager API contains a Server Side Request Forgery. That means an attacker could abuse the functionality of a server, causing it to access or manipulate information that would otherwise not be directly accessible to the attacker.
Satnam Narang, staff research engineer at the security firm Tenable, says an unauthenticated remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable vROps Manager API endpoint.
The other flaw, CVE-2021-21983, is an arbitrary file write vulnerability in the VROps Manager API that could be exploited to write files to the underlying operating system.
“This vulnerability is post-authentication, meaning an attacker needs to be authenticated with administrative credentials in order to exploit this flaw,” Narang says. “If attackers chain both CVE-2021-21975 and CVE-2021-21983 together, they could also gain remote code execution privileges.”
VMware has provided patches for both flaws across vROps Manager versions 7.5.0 through 8.3.0.
Other VMware Issues
Earlier in March, VMware issued patches for a critical vulnerability in its virtual desktop deployment platform, View Planner. The vulnerability, CVE-2021-21978, was caused by improper input validation and lack of authorization, resulting in arbitrary file upload in VMware’s View Planner web application (see: VMware Patches Vulnerability on View Planner).
In February, Positive Technologies noted that more than 6,000 VMware vCenter devices worldwide were susceptible to a critical remote code execution vulnerability. VMware issued recommendations for patching the flaw (see: 6,000 VMware vCenter Devices Vulnerable to Remote Attacks).
In December 2020, the U.S. National Security Agency warned that Russian state-sponsored threat actors were attempting to exploit a vulnerability in several VMware products (see: NSA: Russian Hackers Exploiting VMware Vulnerability).