This is not a drill: VMware vuln with 9.8 severity rating is under attack

By | June 4, 2021
This is not a drill: VMware vuln with 9.8 severity rating is under attack

A VMware vulnerability with a severity rating of 9.8 out of 10 is under active exploitation. At least one reliable exploit has gone public, and there have been successful attempts in the wild to compromise servers that run the vulnerable software.

The vulnerability, tracked as CVE-2021-21985, resides in the vCenter Server, a tool for managing virtualization in large data centers. A VMware advisory published last week said vCenter machines using default configurations have a bug that, in many networks, allows for the execution of malicious code when the machines are reachable on a port that is exposed to the Internet.

Code execution, no authentication required

On Wednesday, a researcher published proof-of-concept code that exploits the flaw. A fellow researcher who asked not to be named said the exploit works reliably and that little additional work is needed to use the code for malicious purposes. It can be reproduced using five requests from cURL, a command-line tool that transfers data using HTTP, HTTPS, IMAP, and other common Internet protocols.

Another researcher who tweeted about the published exploit told me he was able to modify it to gain remote code execution with a single mouse click.

“It will get code execution in the target machine without any authentication mechanism,” the researcher said.

I haz web shell

Researcher Kevin Beaumont, meanwhile, said on Friday that one of his honeypots—meaning an Internet-connected server running out-of-date software so the researcher can monitor active scanning and exploitation—began seeing scanning by remote systems searching for vulnerable servers.

About 35 minutes later, he tweeted, “Oh, one of my honeypots got popped with CVE-2021-21985 while I was working, I haz web shell (surprised it’s not a coin miner).”

A web shell is a command-line tool that hackers use after successfully gaining code execution on vulnerable machines. Once installed, attackers anywhere in the world have essentially the same control that legitimate administrators have.

Troy Mursch of Bad Packets reported on Thursday that his honeypot had also started receiving scans. On Friday, the scans were continuing, he said. A few hours after this post went live, the Cybersecurity and Infrastructure Security Administration released an advisory.

It said: “CISA is aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system.”

Under barrage

The in-the-wild activity is the latest headache for administrators who were already under barrage by malicious exploits of other serious vulnerabilities. Since the beginning of the year, various apps used in large organizations have come under attack. In many cases, the vulnerabilities have been zero-days, exploits that were being used before companies issued a patch.

Attacks included Pulse Secure VPN exploits targeting federal agencies and defense contractors, successful exploits of a code-execution flaw in the BIG-IP line of server appliances sold by Seattle-based F5 Networks, the compromise of Sonicwall firewalls, the use of zero-days in Microsoft Exchange to compromise tens of thousands of organizations in the US, and the exploitation of organizations running versions of the Fortinet VPN that hadn’t been updated.

Like all of the exploited products above, vCenter resides in potentially vulnerable parts of large organizations’ networks. Once attackers gain control of the machines, it’s often only a matter of time until they can move to parts of the network that allow for the installation of espionage malware or ransomware.

Admins responsible for vCenter machines that have yet to patch CVE-2021-21985 should install the update immediately if possible. It wouldn’t be surprising to see attack volumes crescendo by Monday.

Post updated to add CISA advisory.