VMware vCenter Servers Under Active Attack, Patch Now!

Post author:Rinu K
Post published:October 1, 2021
Reading time:5 mins read
Post category:Endpoint Management / Endpoint Security / Endpoint Security and Management / Security Research and Intelligence / Vulnerability Management
Post comments:0 Comments

VMware, the virtualization giant, has patched 19 vulnerabilities, including one critical vulnerability, ten important vulnerabilities, and eight moderate vulnerabilities, in its latest security advisory VMSA-2021-0020. The vulnerabilities tracked as CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22011, CVE-2021-22012, CVE-2021-22013, CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017, CVE-2021-22018, CVE-2021-22019, CVE-2021-22020 are affecting the widely used VMware vCenter Server and VMware Cloud Foundation.

Successful exploitation of these vulnerabilities allows attackers to conduct code execution, sensitive information disclosure, privilege escalation, cross-site scripting, server-side request forgery, and denial of service.

VMware has also released a patch for an arbitrary file upload vulnerability (CVE-2021-22005) in its Analytics service, which is being exploited in the wild.

CVE-2021-22005 Actively Exploited In The Wild

A critical remote code execution vulnerability is found in the VMware vCenter. The flaw is due to an arbitrary file upload vulnerability in its analytics service. It allows attackers to execute commands and software on the vCenter Server Appliance. Anyone who can reach the vCenter Server over the network can use this vulnerability to gain access irrespective of the configuration settings of the vCenter Server.

Below attached screenshot of a cURL request that can be performed against the analytics service endpoint to identify vulnerable and non-vulnerable hosts:

Vulnerable host :

Here Server responds with a 200/OK and anything other than ‘OFF‘ in the response body (such as ‘FULL‘)

Non Vulnerable host :

Here Server responds with a 200/OK and body content of ‘OFF‘ in the response body. i.e., It is likely not vulnerable and also unpatched with no workaround applied.

If the Server responds with a 400/Bad Request, it is patched, and if it responds with 404, either the workaround has been applied, or is not applicable.

Affected Applications

vCenter Server 6.7 before 6.7u3o and 7.0 before 7.0u2c
Cloud Foundation 3. x before 3.10.2.2, 4. x before 4.3

Solution

vCenter Server 6.7u3o for 6.7, 7.0u2c for 7.0
Cloud Foundation 3.10.2.2 for 3. x, 4.3 for 4. x

SanerNow VM detects these vulnerabilities. We strongly recommend applying the security updates for all vulnerabilities on high priority.

Tags: critical remote code execution, VMWare, vmware vcenter, wildly exploited

0 0 votes

Article Rating

0 Comments

Inline Feedbacks

View all comments

CVE-2021-22005 Actively Exploited In The Wild

Vulnerable host :

Non Vulnerable host :

Affected Applications

Solution

You Might Also Like

WordPress File Manager Plugin Under Active Exploitation

Adobe Critical Security Updates March 2020