Threats include execution of arbitrary commands on the server and the possibility to develop the attack to obtain full control over IT systems
Positive Technologies expert Egor Dimitrenko discovered two vulnerabilities in VMware vRealize Operations (vROps). The solution is designed for monitoring and optimizing the performance of the virtual infrastructure, and eliminating flaws in it.
The first, and most dangerous vulnerability was detected in the vROps API. The server side request forgery vulnerability is known as CVE-2021-21975 and has a CVSS v3 score of 8.6. By exploiting this flaw, any unauthorized attacker can steal administrative credentials and obtain access to the application with maximum privileges, which allows changing the application configuration and intercepting any data within the app.
Egor Dimitrenko explains: "The main risk is that administrator privileges allow attackers to exploit the second vulnerability—CVE-2021-21983 (an arbitrary file write flaw, scored 7.2), which allows executing any commands on the server. The combination of two security flaws makes the situation even more dangerous, as it allows an unauthorized attacker to obtain control over the server and move laterally within the infrastructure. By the level of danger, it can be compared to the CVE-2021-21972 vulnerability in VMware vCenter that we discovered before."
Vulnerabilities like CVE-2021-21975 occurr because of the developers' wish to solve problems the easiest way possible, which is not always secure. And flaws similar to CVE-2021-21983 happen usually because of insufficient filtering of user input data.
Applications such as vROps are normally located in the internal network, but can also be encountered on the perimeter due to misconfiguration or in case specific tasks need to be handled. For example, the number of Internet-accessible VMware vCenter devices containing the CVE-2021-21972 vulnerability at the moment of its discovery in late February 2021 exceeded six thousand around the world.
To eliminate vulnerabilities, you should follow the recommendations specified in the official VMware notice. If it’s impossible to install an update, you can detect signs of penetration using a SIEM solution (such as MaxPatrol SIEM) that helps identify suspicious behavior on the server, register an incident, and prevent the intruders from moving laterally within the corporate network in a timely manner.