The RCE vulnerability allows attackers to execute arbitrary commands on the server, compromising the vCenter Server, and gain access to sensitive data
VMware has thanked Positive Technologies expert Mikhail Klyuchnikov for his help in eliminating two vulnerabilities in vCenter Server. This platform is designed for centralized management and automation of VMware vSphere, a key product in modern data centers. IDC estimates that the company holds up to 80 percent of the virtual machine market. In 2019, VMware was included in the Fortune Future 50
Remote Code Execution is one of the most critical threats according to OWASP. In 100 percent of cases, remote code execution on a server allows hacking of the attacked resource. The vulnerability is known as CVE-2021-21972 and has a CVSS v3 score of 9.8. The problem was found in the vSphere Client functionality.
In the context of this vulnerability, the main threat comes from insiders who have penetrated the protection of the network perimeter using other methods (such as social engineering or web vulnerabilities) or have access to the internal network using previously installed backdoors. Last year, we published research into external pentests, in which Positive Technologies specialists managed to get inside the network perimeter and gain access to local network resources in 93 percent of companies.
Despite the fact that more than 90 percent of VMware vCenter devices are located entirely inside the perimeter (as estimated by Positive Technologies Analytics), some of them are accessible remotely. According to threat monitoring (threat intelligence) at Positive Technologies, there are over 6,000 VMware vCenter devices worldwide that are accessible from the Internet and contain the CVE-2021-21972 vulnerability. A quarter of these devices are located in the United States (26%), followed by Germany (7%), France (6%), China (6%), Great Britain (4%), Canada (4%), Russia (3%), Taiwan (3%), Iran (3%), and Italy (3%).
Mikhail Klyuchnikov at Positive Technologies explains:
"In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix ( CVE-2019-19781). The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server. After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system (such as information about virtual machines and system users). If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company's external perimeter and also gain access to sensitive data. Once again, I would like to note that this vulnerability is dangerous, as it can be used by any unauthorized user."
Another vulnerability (CVE-2021-21973 with a CVSS score of 5.3) discovered by Positive Technologies allows for unauthorized users to send requests as the targeted server. This error would then help the attacker to develop further attacks. In particular, by using these flaws, attackers could then scan the company's internal network and obtain information about the open ports of various services.
Positive Technologies experts strongly recommend installing updates from the vendor and removing vCenter Server interfaces from the perimeter of organizations, if they are there, and allocate them to a separate VLAN with a limited access list in the internal network.
To eliminate the vulnerabilities, companies should follow the recommendations specified in the official VMware notice.
Earlier this month, Positive Technologies expert Egor Dimitrenko discovered a high-severity vulnerability in the VMware vSphere Replication data replication tool.