Security Week 23: Exploiting a Vulnerability in VMware vCenter

Vulnerability in VMware vCenter Server – Software for controlling cloud infrastructure – risks becoming a problem comparable in danger to the previously discovered zero-day in Microsoft Exchange. Although the number of vCenter Server installations available from the network is much smaller (thousands versus tens of thousands of mail servers), each of them can manage a huge fleet of virtual systems. Vulnerability CVE-2021-21985 was patched at the end of May, and the news of this week is the appearance of a working Proof of Concept in the public domain and the beginning of the active exploitation phase.

Another similarity to the March problems in Microsoft Exchange is the danger of the vulnerability itself. It scored 9.8 out of 10 on the CVSSv3 scale and provides an attacker with full access to the operating system running vCenter. Specifically, the vulnerability was found in the Virtual SAN Health Check plugin, which is enabled by default. For administrators of infrastructure based on VMware solutions, this is a reason to immediately update to the latest version, or at least block the problematic code from working.

Sources of

  • Security Advisory dated May 25.
  • Article in the Knowledge Base with a description of how to block the plugin (direct plug-in disabling does not close the vulnerability).
  • Public Proof of Concept.
  • Release Notes for vCenter Server 6.7 Update 3n. Also a patch has been released for versions 7.0 and 6.5
  • Fast on the VMware Blog and FAQ
  • Article in the ArsTechnica edition.
  • News on Habré.

Last week, not only proofs of PoC functionality appeared on the network, but also testimonies from honeypot maintainers about mass port scanning in search of vulnerable installations. A search in the specialized search engine Shodan returns 5,500 available ports from the vCenter network of servers, most of them in the United States. June 4 official a warning was released by the US Cybersecurity Agency. ArsTechnica reminds that this year many vulnerabilities of the class “it may be too late to patch” were discovered: this is the mentioned problem in Exchange Server, and vulnerabilities in VPN Pulse Secure and Fortinet, and holes in the BIG-IP server software of F5 Networks. In the case of VMware, administrators had only a few days to resolve the problem. In the case of Exchange, it was necessary to react immediately: the operation began before the release of the patch.

What else happened

Cyber ​​incident (most likely a ransomware attack) happened from a large meat supplier JBS Foods.

At Sophos explore malware that exploits the March vulnerabilities in Exchange Server and encrypts data.

Latest research from Kaspersky Lab: reports on threat evolution for the first quarter of 2021 (overview article, statistics by PC and mobile devices); overview the Gootkit Trojan and guide by e-mail spoofing.

This week Amazon will turn on an Amazon Sidewalk feature that connects company devices (such as an Amazon Ring doorbell and other home security features) into a mesh network. Sidewalk has a dubious privacy feature: for “greater efficiency”, other people’s devices can use your channel to access the Internet to communicate with the server.

Similar Posts

Leave a Reply