RCE exploit activity targeting vCenter honeypots has been detected
UPDATED Enterprises running VMware’s vCenter Server have been urged to update their systems as new research indicates that around 4,000 instances are still vulnerable to two critical security flaws disclosed three weeks ago.
The vulnerabilities were found in vSphere Client (HTML5) and each notched a CVSS score of 9.8.
They include a remote code execution (RCE) bug (CVE-2021-21985) permitting command execution with unrestricted privileges and centering on a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default.
The other vulnerability (CVE-2021-21986) was found in the vSphere authentication mechanism used in multiple plugins. The upshot is that malicious actors can potentially “perform actions allowed by the impacted plug-ins without authentication”, the CVE description reads.
Even though a patch was issued by VMware on May 25, research published today (June 15) by SpiderLabs researchers reveals that more than 4,000 vCenter Server instances are still vulnerable to exploitation.
vCenter Server is a centralized management utility used to manage virtual machines, ESXi hosts, and other dependent components.
VMware dominates the server virtualization market, with vSphere boasting the greatest market share and vCenter Server ranking fifth, according to Datanyze.
Using Shodan, Trustwave security researchers found 5,271 internet-facing instances of VMWare vCenter Server, with nearly four in five (76%) – 4,019 – vulnerable to the flaws based on their self-reported version and use of the vulnerable port.
“Patching is a very difficult problem and often complex especially for large organizations,” Karl Sigler, senior security research manager for SpiderLabs threat intelligence at Trustwave, told The Daily Swig.
“You have geography and time zone issues. For production systems used by multiple teams, you need to coordinate with those teams for expected downtime.
“Many times, patches need to be tested in lab environments prior to being pushed to production systems to verify that the patch won’t cause more issues that they solve.”
A further 950 VCenter Server hosts are running even older builds than the vulnerable versions, all bar eight of which are running versions that have reached their end of life.
Although SpiderLabs says it has found no in-the-wild exploitation, Troy Mursch, chief research officer of threat intelligence firm Bad Packets, tweeted on June 13 that several hosts were attempting to exploit the RCE flaw in attacks against Bad Packets’ vCenter honeypots.
Patches and mitigations
Affected versions include vCenter Server 6.5.0 before 6.5.0 build 17994927, 6.7.0 before 6.7.0 build 18010531, and 7.0.0 before 7.0.2 build 17958471, as well as Cloud Foundation vCenter Server 3.x before 220.127.116.11 build 18015401, and 4.x before 4.2.1 build 18016307.
The patched versions of vCenter Server are 6.5 U3p, 6.7 U3n, and 7.0 U2b, while Cloud Foundation was updated in versions 18.104.22.168 and 4.2.1.
VMWare has previously issued instructions on how to disable the affected plugins aimed at organizations unable to apply the updates immediately.
The RCE flaw was discovered by ‘Ricter Z’ of Chinese infosec firm 360 Noah Lab, with the other flaw detected internally.
This article was updated on June 15 with comments from Karl Sigler of Trustwave, and on June 16 to reflect the fact Bad Packets has detected attempts to exploit the vulnerabilities
DON’T FORGET TO READ Security researcher turns Apache Airflow into bug bounty cash cow