VMware has fixed a serious flaw in its vCenter Server VMware utility that could have opened the door for hackers to remotely execute code on a vulnerable server.
In a press release published Wednesday, Positive Technologies, which discovered and alerted VMware to the bug, said attackers could have exploited the vCenter Server bug to take over unpatched VMware servers and gain access to local network resources.
The major threat would have come from hackers who had penetrated the security of a network perimeter through social engineering or web vulnerabilities, or who had gained access to a network using previously created backdoors.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Last August, Positive Technologies revealed the results of penetration testing through which it was able to breach the network perimeter and obtain access to local network resources in 93% of companies. In the press release, Positive Technologies analyst Mikhail Klyuchnikov explained how the VMware vulnerability could have been abused by any unauthorized user, making it especially dangerous.
“The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server,” Klyuchnikov said.
“After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system (such as information about virtual machines and system users),” he added. “If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company’s external perimeter and also gain access to sensitive data.”
This remote code execution (RCE) flaw specifically affects the vSphere Client (HTML5), which is a plugin for the vCenter Server used by many large companies to manage their local VMware product installations. Dubbed CVE-2021-21972, the flaw has earned itself has a CVSS v3 score of 9.8, indicating the severity of the problem.
More than 6,000 VMware vCenter devices worldwide contain the vulnerability, according to Positive Technologies. Even though 90% of them are located within the network perimeter, some of them are accessible remotely via the internet. A quarter of these devices are in the U.S., followed by smaller numbers in Germany, France, China, Great Britain, Canada, Russia, Taiwan, Iran and Italy.
Another vulnerability (CVE-2021-21973 with a CVSS score of 5.3) discovered by Positive Technologies could have allowed unauthorized users to send requests as the targeted server. By thus exploiting the flaw this way, an attacker could then scan a company’s internal network and find details about the open ports of various services.
Companies that use VMware Server are strongly urged to check VMware’s advisory page for more details on these flaws and to download and install the necessary updates to patch their systems. Further, Positive Technologies advises companies to remove vCenter Server interfaces from their perimeters if they are located as such and allocate them to a separate VLAN with a limited access list in the internal network.
“Exploitation simplicity and the impact of the vulnerability are both highly critical, permitting even unskilled attackers to take control over entire corporate networks within minutes,” Ilia Kolochenko, CEO of security provider ImmuniWeb, told TechRepublic. “It is, however, fair to say that normally vSphere Client web interface should not be accessible from the internet or at least should have strict IP filtering rules. Therefore, compromised organizations undoubtedly share responsibility for being breached via this vulnerability.”