Over 6,700 VMware Servers With Remote Code Execution Security Bug Exposed to the Internet – CPO Magazine

About 6,700 VMware vCenter servers vulnerable to remote code execution security bug and server-side request forgery (SSRF) are exposed to the Internet, according to Bad Packets.

The threat intelligence firm said it discovered a massscanning activity targeting vulnerableVMware servers after a Chinese cybersecurity researcher published proof of concept (POC) code for the VMware vSphere Client security bug, CVE-2021-21972.

Meanwhile, VMware released patches for the two remote code execution faults, CVE-2021-21972, CVE-2021-21974, and Server-Side Request Forgery (SSRF), CVE-2021-21973 vulnerability on Feb 3.

Shodan queries revealed that more than 6,700 vCenter servers are connected to the Internet and could be exploited to breach network perimeters. This figure is on the lower end as BinaryEdgereportsthat about 14,000 VMware servers are accessible on the Internet.

These installations could be exploited for remote code execution unless patched immediately. However, experience shows that many users continue running vulnerable systems long after security fixes for known vulnerabilities became available.

Positive Technologiessecurity researcherMikhail Klyuchnikovdiscovered the three vulnerabilities affecting VMware ESXi, VMware vCenter Server (vCenter Server), and VMware Cloud Foundation (Cloud Foundation).

The most critical security bug, CVE-2021-21972, affects the vCenter Server and has a CVSS v3score of 9.8.VMware said the vulnerability exists in the vCenter Server plugin for vRealize Operations (vROPs) in the vSphere Client functionality.

The plugins install by default and do not require vROPs to be present. VMware says that an attacker with network access toport 443 mayexploit this issueand execute privileged commands on the host operating system.

Positive Technologiessaid threat actors who penetrated thecorporate network perimeterposed the most serious threat.

A persistent threat actor could have breached theinternal networkusing other techniques such associal engineeringor backdoors. Klyuchnikov also noted that the vulnerability could be exploited by any unauthorized user.

The security bug enables an attacker to send a specially crafted request, allowing them to execute arbitrary commands. The threat actor can then propagate through the network, access data aboutvirtual machines and system users, according to Klyuchnikov.

Thesecurity vulnerabilitycould be exploited through any vulnerable software accessible from the Internet. Positive Technologies breached network perimeters of 93% of organizations tested and accessed local resources during pentests, the company says.

Klyuchnikov discovered another remote code execution vulnerability CVE-2021-21974 residing in theVMware ESXiand with a CVSS v3 base score of 8.9.

Successful exploitationof the security bug leads to a heap overflow in the OpenSLP component in an ESXi host. To trigger this vulnerability for remote code execution, an attacker must reside in the same network segment and have access to port 427.

The Positive Technologies researcher also discovered the Server Side Request Forgery (SSRF) security bug CVE-2021-21973 with a CVSS score of 5.3.

The vulnerability stems from improper validation of URLs in a vCenter Server plugin. An attacker with access to port 443 could trigger the vulnerabilityleading to information disclosureby initiating a POST request to the vCenter Server plugin.

This vulnerability allows attackers to craft attacks to exploit other vulnerabilities. An attackerscans for vulnerableVMware servers to obtain open ports before exploiting the remote code execution vulnerabilities.

The vulnerability could also be an excellent candidate fordenial of service (DDoS)attacks. VMware advised organizations to install the newly-released patches or implement the workarounds provided in its bug report. Removing VMware server interfaces from network perimeters would prevent attackers from breaching corporate networks, according to Positive Technologies.

Positive Technologies notified VMware of the vulnerabilities on October 2, 2020, but released its findings on February 24, 2021, after the proof of concept code was released.

Assuming VMWare was informed about the RCE flaw in October last year, its incomprehensible why the patch has only been released after the vulnerability details were made public, says Ilia Kolochenko, CEO at ImmuniWeb. Exploitation simplicity and the impact of the vulnerability are both highly critical, permitting even unskilled attackers to take control over entire corporate networks within minutes.

However, Kolochenko believes that the exposed organizations shared responsibility for failing to implement proper security configurations.

It is, however, fair to say that normally vSphere Client web interface should not be accessible from the Internet or at least should have strict IP filtering rules. Therefore, compromised organizations undoubtedly share responsibility for being breached via this vulnerability.

About 6,700 VMware servers affected by the remote code execution #security bug and are exposed to the Internet according to Bad Packets. #respectdataClick to Tweet

The failure to disclose the security bugs or release patches puts companies at risk of possible legal and regulatory actions.

From a legal viewpoint, its highly likely that hacked organizations will see little mercy from the regulators or victims whose sensitive data will be stolen, Kolochenko says. Sanctions may vary from civil enforcement actions by FTC in the US up to possible criminal prosecution of companies and their executives working in regulated industries in some jurisdictions. On top of this, victims will likely file individual and class actions seeking damages.

Read more:
Over 6,700 VMware Servers With Remote Code Execution Security Bug Exposed to the Internet - CPO Magazine

Related Posts

Comments are closed.