A Critical VMware Bug Found in the Default vCenter
The Customers Should Immediately Patch a Critical Arbitrary File Upload Vulnerability Discovered in the Analytics Service.
The vulnerability in question is impacting all appliances running default vCenter Server 6.7 and 7.0 deployments.
vCenter Server is a server management system that provides a single dashboard for IT administrators to manage virtualized hosts and virtual machines in business environments.
In this era of ransomware, it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.
The Critical Vulnerability Received an Almost Perfect Severity Score
CVE-2021-22005, the vulnerability affecting VMware received a CVSS 3.1 severity rating of 9.8/10, meaning that it can be exploited by attackers in order to execute commands and software on unpatched vCenter Server deployments by uploading a specially crafted file.
The most urgent addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach the vCenter Server over the network to gain access, regardless of the configuration settings of the vCenter Server.
George Noseevich and Sergey Gerasimov from SolidLab LLC were the researchers that discovered the vulnerability and the fact that it can be exploited by unauthenticated attackers remotely in low complexity attacks that don’t require user interaction.
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
VMware is urging all users to patch this vulnerability as soon as possible.
Immediately, the ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.
With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing and act accordingly.
This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.
Fortunately, VMware managed to provide a workaround for those who are not able to immediately patch their appliances as a temporary solution.
In order to apply this solution, it is required to edit a text file on the virtual appliance and to also manually restart services or to use a VMware-provided script to remove the possibility of exploitation.
More details can be found in an FAQ document that contains additional questions and answers regarding the CVE-2021-22005 here.