VMware Discloses and Releases Fixes for 19 Bugs in ProductsCISA Warns of 'Widespread Exploitation' for 1 Critical Bug
Cybersecurity vendor VMware has released a security advisory detailing 19 vulnerabilities affecting its vCenter server and Cloud Foundation products and has released fixes for all of them. p>
Exploited Critical Bug
One of the vulnerabilities, tracked as CVE-2021-22005 has a CVSS of 9.8, and VMware says in its advisory that it has "confirmed reports" of the vulnerability's exploitation in the wild.
The Cybersecurity and Infrastructure Security Agency also has issued a statement, warning users of the "widespread exploitation" of the vulnerability. It advises affected entities to upgrade their systems to the patched version or apply a VMware-recommended temporary workaround until the patch can be applied.
Users can view a video that explains the workaround option here.
"In this era of ransomware, it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account," Bob Plankers, who works in technical marketing at VMware, says in a blog post. He advises users to declare an emergency change and patch their servers as soon as possible.
While VMware did not specify the number of devices at risk, security firm Censys found that there are nearly 7,000 VMWare vCenter servers on the public internet and 3,264 hosts are internet-facing and potentially vulnerable. Only 436 of all servers on public internet are patched, while 1,369 are either unaffected versions or have the workaround applied, the Censys report adds.
Critical Vulnerability Analysis
According to VMware, CVE-2021-22005 is a file upload vulnerability in the analytics service of the vCenter server.
"A malicious actor with network access to port 443 on vCenter server may exploit this issue to execute code on vCenter server by uploading a specially crafted file," VMware says, adding that the vulnerability only affects vCenter versions 6.7 and 7.0.
Cybersecurity firm Randori has developed a proof-of-concept exploit, detailing the exploitation, detection and actions required to address this flaw.
Randori says it has developed a "reliable" working exploit and leveraged it on its automated red team platform, as VMware's vCenter servers are widely adopted in its client environments.
A new variant of the vulnerability has been confirmed with a successful POC by Will Dormann, a vulnerability analyst at the CERT Coordination Center.
According to Dormann, a new variant of the vulnerability emerged on Sept. 24, days after VMware made the initial vulnerability disclosure on Sept. 21. Dormann notes that the redacted POC described by security researcher William Vu does not require Customer Experience Improvement Program - or CEIP - to be enabled.
CEIP collects system information, such as configuration settings and hardware configurations, to improve features and address common problems.
The new variant can also be used to open a reverse shell on a vulnerable server, allowing remote attackers to execute arbitrary code, news platform Bleeping Computer reported, citing Vu. He reportedly says that the new vulnerability variant allows a threat actor to upload a file to the vCenter server analytics service without requiring any authentication.
Vietnamese security researcher Jang posted a POC exploit for CVE-2021-22005 - albeit an incomplete one at the time - providing hints to overcome the workarounds issued by VMware.
Dormann, however, says that Jang's POC was not incomplete, but an example of vulnerability chaining that involves other flaws that are fixed in the patch released by VMware. When the POC is used in some combination with CVE-2021-22006, CVE-2021-22007 and/or CVE-2021-22008 - which are also among the 19 vulnerabilities VMware initially disclosed - it allows unauthenticated RCE as root, he says.
The completed POC exploit is available here.
Dormann says keeping abreast of the vulnerability chaining tactic is key. "No vulnerability in the update was higher than 'important.' What if all vulnerabilities had low CVSS scores but were chainable to RCE with virtually complete public exploit available?" That's why patching needs to be done as soon as possible for all of the vulnerabilities, he says.
This is the second instance of a significant vulnerability discovery in VCenter this year. In Feb. 2021, security firm Positive Technologies found more than 6,000 VMware vCenter devices worldwide that were accessible via the internet, containing a critical remote code execution vulnerability (see: 6,000 VMware vCenter Devices Vulnerable to Remote Attacks).