Threat Update
Recently, VMWare, a global virtualization and cloud computing vendor, was informed of a critical vulnerability that affects certain versions of its vCenter service. Successful exploitation of this vulnerability could allow an attacker to upload arbitrary files and execute code on vulnerable devices, which could lead to system compromise.
Barracuda MSP recommends ensuring that all devices are updated to their latest versions, to allow for security patches to be implemented.
Technical Detail & Additional Information
WHAT IS THE THREAT?
CVE-2021-21985 – Arbitrary File Upload / Command Execution Vulnerability:
This vulnerability exists in all appliances running default vCenter Server 6.7 and 7.0 deployments. The vulnerability “can be exploited by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration setting of vCenter Server.” An attacker could potentially use this to execute arbitrary commands and upload malicious files, which would enable them to perform malicious activity on a device.
WHY IS IT NOTEWORTHY?
VMware products are used and trusted by thousands of businesses and individuals worldwide. Because these products are so widely used, there is a wide scope of potential targets. Attackers will search for vulnerable systems to compromise, and with the minimal level of access required to exploit this vulnerability, the vulnerability should be considered critical. It is very important to keep services updated regularly. This is to apply patches that are made specifically to prevent these vulnerabilities from being exploited.
WHAT IS THE EXPOSURE OR RISK?
This vulnerability has not yet been spotted in the wild. However, once it is released, attackers will be able to do damage with minimal effort. Anyone with network access to port 443 on vCenter Server could be capable of exploiting this issue to execute code on vCenter Server by uploading a specially crafted file. This could potentially allow attackers to gain access to devices, escalate privileges or execute remote code, amongst other potential threats. These vulnerabilities could lead to several possible compromises, such as denial of service attacks, and even complete system compromises. In many cases, IT users with high end admin access will rely on virtual machines for different parts of their job. If one of these machines was compromised, attackers could gain access to sensitive information and even execute arbitrary system commands. Many companies rely on VMware machines remaining private and being able to use these machines to conduct everyday business. This vulnerability is critical and puts these expectations at potential risk if they are exploited by attackers, so it is very important to ensure that updates are applied to allow for this vulnerability to be patched.
WHAT ARE THE RECOMMENDATIONS?
VMware has released patches for this vulnerability, which impacts vCenter Server versions 6.7, and 7.0. Barracuda MSP recommends immediately updating any devices running those versions to allow for the proper patches to be applied.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-bug-in-default-vcenter-server-installs/
- https://securityaffairs.co/wordpress/122686/hacking/cve-2021-22005-exploit-vmware-vcenter.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22005
If you have any questions, please contact our Security Operations Center.