Attackers could exploit the built-in update mechanism to execute arbitrary commands on the server without authentication
Positive Technologies announced today that its researcher uncovered a dangerous vulnerability in VMware vRealize Business for Cloud, a product designed for cloud costing analysis that helps organizations visualize and plan expenses and compare business indicators. The flaw has been patched by VMware, which published a security advisory.
The vulnerability discovered by Positive Technologies researcher, Egor Dimitrenko (known officially as CVE-2021-21984) has a CVSS v3 score of 9.8, signifying it’s a critical flaw that should be patched immediately. The vulnerability belongs to the pre-auth RCE class (arbitrary command execution on behalf of an unauthenticated user). Attackers can exploit it to obtain full control over the server and conduct attacks on a company's infrastructure.
«Due to the incorrect configuration of the application, an unidentified attacker could gain access to the built-in update mechanism, notes Dimitrenko. «This function allows them to execute arbitrary commands on the server by exploiting the legitimate mechanism for installing new versions of the product. The errors related to the incorrect configuration of access lists are caused by insufficient testing of new functionality at the time of the release.»
To fix the vulnerability, organizations should follow the recommendations from VMware's official notice. For situations where installing the update isn’t possible, organizations can detect signs of penetration using a SIEM solution (such as MaxPatrol SIEM) that helps identify suspicious behavior on the server, register an incident, and prevent intruders from moving laterally within the corporate network.
This follows previous vulnerabilities discovered by Dimitrenko and disclosed responsibly to VMware, including in its infrastructure monitoring software, VMware vSphere Replication, and the VMware platform for protection of end devices.