Severe RCE Vulnerability in VMware vCenter Server Is Under Attack
VMware Clients Are Also Urged to Patch ASAP to Prevent Future Ransomware Attacks Targeting Vulnerable Center Servers.
Last updated on June 7, 2021
Cybercriminals are scanning for VMware vCenter servers vulnerable to severe remote code execution (RCE) bug affecting all vCenter deployments and patched by VMware ten days ago.
Last week, the threat intelligence company Bad Packets was the first to see the ongoing scanning activity, later corroborated by cybersecurity specialist Kevin Beaumont.
The flaw, tracked as CVE-2021-21985, is situated in the VCenter Server, an instrument for running virtualization in big data centers.
A VMware press release issued last week stated vCenter machines utilizing default configurations have a vulnerability that, in many networks, enables the implementation of malicious code when the machines can be reached on a port that is exposed to the Internet.
On Wednesday, a researcher published a proof-of-concept (PoC) code that exploits the vulnerability. Another specialist declared the exploit is able to be trusted and that little extra work is required to use the code for malicious purposes.
It can be reproduced using five requests from cURL, a command-line tool that transfers data using HTTP, HTTPS, IMAP, and other common Internet protocols.
The security vulnerability can be remotely abused by unauthorized threat actors in less complicated attacks which don’t need user interaction.
Successful exploitation enables cybercriminals to assume control of a company’s entire network, seeing that IT departments and administrators use VMware vCenter servers to manage VMware solutions deployed across organization environments.
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used.
Following the release of security updates to address the bug tracked as CVE-2021-21985, VMware alerted that these updates mend a severe security flaw and it needs to be taken into consideration immediately.
The company also added that this bug can be employed by anyone who can reach vCenter Server over the network to obtain access, regardless of whether you use vSAN or not.
As we said before, vCenter lives in potentially unprotected parts of big companies’ networks. Once threat actors acquire control of the machines, it’s frequently just a matter of time before they can move to parts of the network that enable the installation of espionage malware or ransomware.
In this era of ransomware, it is safest to assume that an attacker is already inside the network somewhere, on a desktop, and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.
The organization also provides workaround measures created to eliminate the attack vector and chance of exploitation by setting the affected plug-ins to “incompatible” for those who cannot instantly carry out the security updates.
Admins in charge of vCenter machines that have yet to patch CVE-2021-21985 should install the update as quickly as possible.
Our Automated Heimdal™ Patch & Asset Management solution will automatically install updates based on your configured policies, without the need for manual input. As soon as 3rd party vendors release new patches, our technology silently deploys them to your endpoints, without the need for reboots or user interruption.
Automate your patch management routine.
Heimdal® Patch & Asset Management Software
Remotely and automatically install Windows, Linux and 3rd party application updates and manage your software inventory.
As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.