A Chinese security researcher published a PoC code for the CVE-2021-21972 vulnerability in VMware Center, thousands of vulnerable servers are exposed online.
vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.
The flaw could be exploited by remote, unauthenticated attackers without user interaction.
“The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published. “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. “
The issue affects vCenter Server plugin for vROPs which is available in all default installations. vROPs does not need be present to have this endpoint available. The virtualization giant has provided workarounds to disable it.
Shortly after the publication of the flaw, experts from security firm Bad Packets started observing online scanning for vulnerable servers.
We've detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).
— Bad Packets (@bad_packets) February 24, 2021
At the time of this writing, querying the Shodan search engine it is possible to find more than 6,700 potentially vulnerable VMware vCenter servers that are exposed online.
The CVE-2021-21972 flaw was reported by Mikhail Klyuchnikov from Positive Technologies, it has received a CVSSv3 base score of 9.8/ 10 according to VMware’s security advisory.
Positive Technologies published a detailed analysis for this vulnerability to share knowledge about potential compromises resulting from the exploitation of this issue.
Experts from Positive Technologies decided to avoid publishing the PoC code for this issue because of the large number of installs exposed online that have yet to be patched.
Due to the amount of unpatched boxes, we've decided to hold back on publishing the PoC until somebody else releases one first. Once the exploit is public knowledge we'll also drop an article covering all of the technical details. Stay tuned!
— PT SWARM (@ptswarm) February 23, 2021
Experts warn of the risks that cybercrime organizations could hit vulnerable installs to compromise their networks and conduct several malicious activities, including the deployment of ransomware.
Darkside and RansomExx ransomware operators were observed targeting VMware infrastructure in the last months.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Cyber Defense Magazine