The day after VMware released fixes for a critical RCE flaw (CVE-2021-21972) found in a default vCenter Server plugin, opportunistic attackers began searching for publicly accessible vulnerable systems.
We've detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).
Query our API for "tags=CVE-2021-21972" for relevant indicators and source IP addresses. #threatintel https://t.co/AcSZ40U5Gp
— Bad Packets (@bad_packets) February 24, 2021
“In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),” noted Mikhail Klyuchnikov, the Positive Technologies researcher who unearthed this latest critical VMware flaw.
“The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server. After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system (such as information about virtual machines and system users). If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company’s external perimeter and also gain access to sensitive data.”
About the vulnerability (CVE-2021-21972)
CVE-2021-21972 affects vCenter Server, an application that allows admins to manage their vSphere (virtualization platform) infrastructure and ESXi (hypervisor) hosts from a single console. It can be installed on a Windows or Linux system.
Positive Technologies have found over 6,000 vulnerable VMware vCenter devices accessible from the internet, a quarter of these which are located in the United States (26%), followed by Germany (7%), France (6%), China (6%), Great Britain (4%), Canada (4%), Russia (3%), Taiwan (3%), Iran (3%), and Italy (3%).
“In the context of this vulnerability, the main threat comes from insiders who have penetrated the protection of the network perimeter using other methods (such as social engineering or web vulnerabilities) or have access to the internal network using previously installed backdoors,” the company noted.
Several PoC exploit scripts have already popped up on GitHub, and Klyuchnikov followed with the release of additional technical details about the vulnerability, as well as the whole process of getting RCE on Windows and Linux.
Due to the vulnerability’s critical nature and the availability of PoCs, admins should implement the offered security updates as soon as possible. A workaround is available, but it is meant to just be a temporary solution until the updates can be deployed.
Alongside CVE-2021-21972, VMware has also fixed CVE-2021-21973, a SSRF vulnerability in the vSphere Client also discovered by Klyuchnikov, and CVE-2021-21974, a heap-overflow vulnerability in ESXi, reported by Lucas Leong of Trend Micro’s Zero Day Initiative.