More than 6,000 VMware vCenter appliances around the world, which are accessible over the internet, contain a critical remote code execution vulnerability, security firm Positive Technologies said. At present, VMware has issued a method for patching the vulnerability.
The vulnerability, dubbed CVE-2021-21972, if exploited, could enable hackers to execute arbitrary commands, compromise vCenter servers, and potentially gain access to sensitive data.
The vulnerability was discovered in the vSphere Client (HTML5), a plug-in for VMware vCenter that typically serves as a management interface to access VMware hosts installed on workstations on large corporate networks. This interface allows administrators to create and manage virtual machines and host resources.
Mikhail Klyuchnikov, a researcher at Positive Technologies, said that by exploiting the vulnerability, an unauthorized user could send a specially crafted request that could ultimately execute arbitrary commands on the server.
Klyuchnikov said: “Once given such an opportunity, an attacker can launch such an attack, successfully traverse the corporate network, and access data stored in the attacked system (such as information about virtual machines and system users). If Having vulnerable software accessible from the Internet would allow an external attacker to break into the company’s external perimeter and access sensitive data. This vulnerability is dangerous because it can be used by any unauthorized user.”
Organizations should prioritize patching any VMware vCenter appliances, said Javvad Malik, a security awareness advocate at security firm KnowBe4.
Positive Technologies said that of the more than 6,000 VMware vCenter appliances worldwide, 26 percent are located in the United States, with the remainder in Germany, France, China, the United Kingdom, Canada, Russia, Taiwan, Iran and Italy.
However, researchers at security firms report that the main threat exploiting this vulnerability comes from insiders or others who use methods such as social engineering or web exploits to penetrate the protection of network perimeters and gain access to internal networks.
In August 2020, Positive Technologies published a research report on external penetration testing and successfully entered the network perimeter, gaining access to 93% of the company’s local network resources.
“Although more than 90 percent of VMware vCenter appliances are entirely perimeter-based, according to Positive Technologies analytics estimates, some of these appliances can be accessed remotely,” the researchers noted.
Additionally, Positive Technologies discovered a VMware vCenter Server vulnerability, CVE-2021-21973, that allows unauthorized users to send POST requests to the vCenter Server plugin, resulting in information disclosure. This can prompt further attacks by hackers, allowing them to scan a company’s internal network and gain information about open ports for various services.
Positive Technologies recommends installing the update from VMware and removing the vCenter Server interface organization-wide, assigning it to a separate VLAN with restricted access lists on the internal network.
“Even if a company like VMware makes sure to deliver secure software to its customers, there could still be security holes after the release,” said Boris Seaport, a senior security engineer at security firm Synopsys.
Earlier, Positive Technologies researcher Egor Dimitrenko discovered a critical vulnerability in the VMware vSphere Replication tool. If exploited, an attacker could gain access to the tool’s administrative web interface, execute arbitrary code on a server with maximum privileges, and initiate lateral movement across the network to seize control of a company’s infrastructure.
The Links: PM300CL1A060 CM300DU-24NFH