Severe RCE Vulnerability in VMware vCenter Server Is Under Attack
VMware Clients Are Also Urged to Patch ASAP to Prevent Future Ransomware Attacks Targeting Vulnerable Center Servers.
Cybercriminals are scanning for VMware vCenter servers vulnerable to severe remote code execution (RCE) bug affecting all vCenter deployments and patched by VMware ten days ago.
The flaw, tracked as CVE-2021-21985, is situated in the VCenter Server, an instrument for running virtualization in big data centers.
A VMware press release issued last week stated vCenter machines utilizing default configurations have a vulnerability that, in many networks, enables the implementation of malicious code when the machines can be reached on a port that is exposed to the Internet.
On Wednesday, a researcher published a proof-of-concept (PoC) code that exploits the vulnerability. Another specialist declared the exploit is able to be trusted and that little extra work is required to use the code for malicious purposes.
It can be reproduced using five requests from cURL, a command-line tool that transfers data using HTTP, HTTPS, IMAP, and other common Internet protocols.
Mass scanning activity detected from 126.96.36.199 (🇳🇱) checking for VMware vSphere hosts vulnerable to remote code execution (CVE-2021-21985).
— Bad Packets (@bad_packets) June 3, 2021
The security vulnerability can be remotely abused by unauthorized threat actors in less complicated attacks which don’t need user interaction.
Successful exploitation enables cybercriminals to assume control of a company’s entire network, seeing that IT departments and administrators use VMware vCenter servers to manage VMware solutions deployed across organization environments.
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used.
Finally, Chinese speaking win the racehttps://t.co/MALLHMW4po
— Janggggg (@testanull) June 3, 2021
Following the release of security updates to address the bug tracked as CVE-2021-21985, VMware alerted that these updates mend a severe security flaw and it needs to be taken into consideration immediately.
The company also added that this bug can be employed by anyone who can reach vCenter Server over the network to obtain access, regardless of whether you use vSAN or not.
As we said before, vCenter lives in potentially unprotected parts of big companies’ networks. Once threat actors acquire control of the machines, it’s frequently just a matter of time before they can move to parts of the network that enable the installation of espionage malware or ransomware.
In this era of ransomware, it is safest to assume that an attacker is already inside the network somewhere, on a desktop, and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.
The organization also provides workaround measures created to eliminate the attack vector and chance of exploitation by setting the affected plug-ins to “incompatible” for those who cannot instantly carry out the security updates.
Admins in charge of vCenter machines that have yet to patch CVE-2021-21985 should install the update as quickly as possible.
Our Automated Heimdal™ Patch & Asset Management solution will automatically install updates based on your configured policies, without the need for manual input. As soon as 3rd party vendors release new patches, our technology silently deploys them to your endpoints, without the need for reboots or user interruption.
Heimdal™ Patch & Asset Management