This is not a drill: VMware vuln with a severity of 9.8 is under attack | GeekComparison

This is not a drill: VMware vuln with a severity of 9.8 is under attack

A VMware vulnerability is actively exploited with a severity score of 9.8 out of 10. At least one trusted exploit has been made public and there have been successful attempts in the wild to compromise servers running the vulnerable software.

The vulnerability, tracked as CVE-2021-21985, resides in the vCenter Server, a tool for managing virtualization in large data centers. A VMware advisory published last week said that vCenter machines using default configurations have a bug that allows malicious code execution in many networks when the machines are reachable on a port exposed to the internet.

Code execution, no authentication required

On Wednesday, a researcher published proof-of-concept code that exploits the flaw. A fellow researcher who wished to remain anonymous said the exploit works reliably and little additional work is required to use the code for malicious purposes. It can be reproduced using five requests from cURL, a command-line tool that transfers data using HTTP, HTTPS, IMAP, and other common Internet protocols.

Another researcher tweeted about the published exploit told me he could modify it to run code remotely with a single mouse click.

“It will get code execution on the target machine without any authentication mechanism,” the researcher said.

I haz web shell

Researcher Kevin Beaumont, meanwhile, said Friday that one of its honeypots – that is, an Internet-connected server running outdated software so that the researcher can actively monitor scanning and abuse – began scanning by remote systems looking for vulnerable servers.

About 35 minutes later he tweeted, “Oh one of my honeypots got popped with CVE-2021-21985 while I was working, I haz web shell (surprised it’s not a miner).”

A web shell is a command line tool that hackers use after successfully executing code on vulnerable machines. Once installed, attackers anywhere in the world have essentially the same control as legitimate administrators.

Troy Mursch of Bad Packets reported Thursday that his honey pot started receiving scans as well. The scans continued on Friday, he said. A few hours after this post went live, the Cybersecurity and Infrastructure Security Administration issued an advisory.

It said: “CISA is aware of the likelihood of cyberthreat actors attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. While patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system.”

Under barrage

The in-the-wild activity is the latest headache for administrators already beset by malicious exploits of other serious vulnerabilities. Since the beginning of this year, various apps used in large organizations have come under fire. In many cases, the vulnerabilities were zero-days, exploits that were used before companies released a patch.

Attacks include Pulse Secure VPN exploits targeting federal agencies and defense contractors, successful exploits of a code execution flaw in the BIG-IP line of server equipment sold by Seattle-based F5 Networks, compromising Sonicwall firewalls, the use of zero-days in Microsoft Exchange to endanger tens of thousands of organizations in the US, and the exploitation of organizations using versions of the Fortinet VPN that had not been updated.

Like all of the exploited products above, vCenter resides in potentially vulnerable parts of large organizations’ networks. Once attackers gain control of the machines, it is often only a matter of time before they can move into parts of the network where spy malware or ransomware can be installed.

Administrators responsible for vCenter machines that have yet to patch CVE-2021-21985 should install the update immediately if possible. It wouldn’t be surprising if attack volumes were crescendo by Monday.

Post updated to add CISA advisory.

Leave a Comment