Public disclosure brought forward after exploits surface online
UPDATED VMware has patched a critical remote code execution (RCE) vulnerability in its vCenter server management software that could allow hackers to take over servers and gain access to sensitive data.
According to Positive Technologies, which also discovered a less serious server-side request forgery (SSRF) flaw, more than 6,000 VMware vCenter deployments could be vulnerable to the unauthenticated RCE exploit, with a quarter of these located in the US.
The firm brought forward disclosure of its findings after a proof-of-concept surfaced online and attackers began attempting exploitation.
The main threat, says Positive Technologies, comes from insiders who penetrate the network perimeter using methods such as social engineering or exploiting web vulnerabilities, or who have access to the internal network using previously installed backdoors.
The RCE flaw, which is tracked as CVE-2021-21972 and has a CVSS score of 9.8, allows an unauthenticated user to send a specially crafted request, which opens the door for the execution of arbitrary commands on the server.
Attackers can then, says the company, move through the corporate network and gain access to data such as information about virtual machines and system users.
Critical, but not likely catastrophic
“By exploiting this flaw, a criminal could compromise a VMware hypervisor, which would allow access to critical internal infrastructure servers and business systems, such as domain controllers, Citrix servers, and servers of financial accounting systems, et cetera,” Mikhail Klyuchnikov, senior web application security researcher at Positive Technologies, tells The Daily Swig.
“It’s also possible for attackers to compromise the PCI DSS segment, opening up an opportunity to manage ATM network control servers or bank processing servers.
“Nevertheless, in the overwhelming majority of cases, vCenter is installed within an organization, and only a small, insignificant part of the total volume of vCenter installations are on the perimeter,” says Klyuchnikov.
“So although the vulnerability is critical, and the exploit appeared so early, it will not lead to a catastrophe.”
Positive Technologies originally held off on publishing full details of the vulnerability. However, the proof of concept was published by a Chinese security researcher, who described step by step how to reproduce it.
At this point, malicious hackers piled in to mass-scan and compromise systems, prompting Positive Technologies to publish its own findings.
Server-side security holes
The second, SSRF vulnerability (CVE-2021-21973), which has a CVSS score of 5.3, allows unauthorized users to send requests as the targeted server, creating an opportunity for a hacker to develop further attacks.
Attackers could then scan the company's internal network and obtain information about the open ports of various services.
“These vulnerabilities are very serious. VMware holds up to 80% of the virtual machine market. Any companies using the VMware vCenter Server to manage their vSphere installations could become possible victims,” says Klyuchnikov.
“Our threat intelligence suggests there are over 6,000 VMware vCenter devices worldwide that are accessible from the internet and contain the most critical of the two vulnerabilities.”
VMware was alerted to the flaws on October 2, 2020, and released a patch addressing the flaws on February 23.
Positive Technologies, which disclosed its findings on February 24, also recommends removing any vCenter Server interfaces from the network perimeter and allocating them to a separate VLAN with a limited access list within the internal network instead.
“In line with VMware's commitment to responsible disclosure, we issued a public security advisory with a fix and workaround for a security issue that was privately reported to us in order to help our customers stay safe,” a spokesperson for VMware told The Daily Swig.
“As a matter of best practice, VMware always encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment and deploy our products in a security hardened configuration.”
This article was updated with comments from VMware on March 1.