RCE exploit activity targeting vCenter honeypots has been detected


UPDATED Enterprises running VMware’s vCenter Server have been urged to update their systems as new research indicates that around 4,000 instances are still vulnerable to two critical security flaws disclosed three weeks ago.

The vulnerabilities were found in vSphere Client (HTML5) and each notched a CVSS score of 9.8.

They include a remote code execution (RCE) bug (CVE-2021-21985) permitting command execution with unrestricted privileges and centering on a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default.

Catch up on the latest enterprise security news

The other vulnerability (CVE-2021-21986) was found in the vSphere authentication mechanism used in multiple plugins. The upshot is that malicious actors can potentially “perform actions allowed by the impacted plug-ins without authentication”, the CVE description reads.

Even though a patch was issued by VMware on May 25, research published today (June 15) by SpiderLabs researchers reveals that more than 4,000 vCenter Server instances are still vulnerable to exploitation.

Rich pickings

vCenter Server is a centralized management utility used to manage virtual machines, ESXi hosts, and other dependent components.

VMware dominates the server virtualization market, with vSphere boasting the greatest market share and vCenter Server ranking fifth, according to Datanyze.

Using Shodan, Trustwave security researchers found 5,271 internet-facing instances of VMWare vCenter Server, with nearly four in five (76%) – 4,019 – vulnerable to the flaws based on their self-reported version and use of the vulnerable port.

RECOMMENDED Shodan founder John Matherly on IoT security and dual-purpose hacking tools

“Patching is a very difficult problem and often complex especially for large organizations,” Karl Sigler, senior security research manager for SpiderLabs threat intelligence at Trustwave, told The Daily Swig.

“You have geography and time zone issues. For production systems used by multiple teams, you need to coordinate with those teams for expected downtime.

“Many times, patches need to be tested in lab environments prior to being pushed to production systems to verify that the patch won’t cause more issues that they solve.”

A further 950 VCenter Server hosts are running even older builds than the vulnerable versions, all bar eight of which are running versions that have reached their end of life.

Although SpiderLabs says it has found no in-the-wild exploitation, Troy Mursch, chief research officer of threat intelligence firm Bad Packets, tweeted on June 13 that several hosts were attempting to exploit the RCE flaw in attacks against Bad Packets’ vCenter honeypots.

Patches and mitigations

Affected versions include vCenter Server 6.5.0 before 6.5.0 build 17994927, 6.7.0 before 6.7.0 build 18010531, and 7.0.0 before 7.0.2 build 17958471, as well as Cloud Foundation vCenter Server 3.x before build 18015401, and 4.x before 4.2.1 build 18016307.

The patched versions of vCenter Server are 6.5 U3p, 6.7 U3n, and 7.0 U2b, while Cloud Foundation was updated in versions and 4.2.1.

VMWare has previously issued instructions on how to disable the affected plugins aimed at organizations unable to apply the updates immediately.

The RCE flaw was discovered by ‘Ricter Z’ of Chinese infosec firm 360 Noah Lab, with the other flaw detected internally.

This article was updated on June 15 with comments from Karl Sigler of Trustwave, and on June 16 to reflect the fact Bad Packets has detected attempts to exploit the vulnerabilities  

DON’T FORGET TO READ Security researcher turns Apache Airflow into bug bounty cash cow