A Chinese security researcher published a PoC code for the CVE-2021-21972 vulnerability in VMware Center, thousands of vulnerable servers are exposed online.
A Chinese security researcher published the Proof-of-concept exploit code for the CVE-2021-21972 RCE vulnerability affecting VMware vCenter servers.
vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.
The flaw could be exploited by remote, unauthenticated attackers without user interaction.
“The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published. “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. “
The issue affects vCenter Server plugin for vROPs which is available in all default installations. vROPs does not need be present to have this endpoint available. The virtualization giant has provided workarounds to disable it.
Shortly after the publication of the flaw, experts from security firm Bad Packets started observing online scanning for vulnerable servers.
We've detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).
Query our API for "tags=CVE-2021-21972" for relevant indicators and source IP addresses. #threatintel https://t.co/AcSZ40U5Gp
— Bad Packets (@bad_packets) February 24, 2021
At the time of this writing, querying the Shodan search engine it is possible to find more than 6,700 potentially vulnerable VMware vCenter servers that are exposed online.
The CVE-2021-21972 flaw was reported by Mikhail Klyuchnikov from Positive Technologies, it has received a CVSSv3 base score of 9.8/ 10 according to VMware’s security advisory.
Positive Technologies published a detailed analysis for this vulnerability to share knowledge about potential compromises resulting from the exploitation of this issue.
Experts from Positive Technologies decided to avoid publishing the PoC code for this issue because of the large number of installs exposed online that have yet to be patched.
Due to the amount of unpatched boxes, we've decided to hold back on publishing the PoC until somebody else releases one first. Once the exploit is public knowledge we'll also drop an article covering all of the technical details. Stay tuned!
— PT SWARM (@ptswarm) February 23, 2021
Unfortunately, ZDNet reported the availability of other easy-to-use proof-of-concept codes, exposing the organization to the risk of hack.
Experts warn of the risks that cybercrime organizations could hit vulnerable installs to compromise their networks and conduct several malicious activities, including the deployment of ransomware.
Darkside and RansomExx ransomware operators were observed targeting VMware infrastructure in the last months.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Avaddon ransomware)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
A Chinese security researcher published a PoC code for the CVE-2021-21972 vulnerability in VMware Center, thousands of vulnerable servers are exposed online.
A Chinese security researcher published the Proof-of-concept exploit code for the CVE-2021-21972 RCE vulnerability affecting VMware vCenter servers.
vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.
The flaw could be exploited by remote, unauthenticated attackers without user interaction.
“The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published. “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. “
The issue affects vCenter Server plugin for vROPs which is available in all default installations. vROPs does not need be present to have this endpoint available. The virtualization giant has provided workarounds to disable it.
Shortly after the publication of the flaw, experts from security firm Bad Packets started observing online scanning for vulnerable servers.
We've detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).
Query our API for "tags=CVE-2021-21972" for relevant indicators and source IP addresses. #threatintel https://t.co/AcSZ40U5Gp
— Bad Packets (@bad_packets) February 24, 2021
At the time of this writing, querying the Shodan search engine it is possible to find more than 6,700 potentially vulnerable VMware vCenter servers that are exposed online.
The CVE-2021-21972 flaw was reported by Mikhail Klyuchnikov from Positive Technologies, it has received a CVSSv3 base score of 9.8/ 10 according to VMware’s security advisory.
Positive Technologies published a detailed analysis for this vulnerability to share knowledge about potential compromises resulting from the exploitation of this issue.
Experts from Positive Technologies decided to avoid publishing the PoC code for this issue because of the large number of installs exposed online that have yet to be patched.
Due to the amount of unpatched boxes, we've decided to hold back on publishing the PoC until somebody else releases one first. Once the exploit is public knowledge we'll also drop an article covering all of the technical details. Stay tuned!
— PT SWARM (@ptswarm) February 23, 2021
Unfortunately, ZDNet reported the availability of other easy-to-use proof-of-concept codes, exposing the organization to the risk of hack.
Experts warn of the risks that cybercrime organizations could hit vulnerable installs to compromise their networks and conduct several malicious activities, including the deployment of ransomware.
Darkside and RansomExx ransomware operators were observed targeting VMware infrastructure in the last months.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Avaddon ransomware)