VMWare Patches Critical RCE Flaw in vCenter Server


The vulnerability, one of three patched by the company this week, could allow threat actors to breach the external perimeter of a data center or leverage backdoors already installed to take over a system.

Threatpost Webinar February Promo

Click to Register

VMware has patched three vulnerabilities in its virtual-machine infrastructure for data centers, the most serious of which is a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system to find other vulnerable points of network entry to take over affected systems.

Positive Technologies researcher Mikhail Klyuchnikov discovered two of the flaws in vCenter Server, the centralized management and automation platform for VMware’s vSphere virtualization platform, which—given VMware’s dominant position in the market—is used by the majority of enterprise data centers. Among its duties, vCenter Server manages virtual machines, multiple ESXi hypervisor hosts and other various dependent components from a central management dashboard.

Where the VMware Flaws Were Found, What’s Effected? 

The researcher found the most critical of the flaws, which is being tracked as CVE-2021-21972 and has a CVSS v3 score of 9.8, in a vCenter Server plugin for vROPs in the vSphere Client functionality, according to an advisory posted online Tuesday by VMware.

“A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,” the company said.

The plugin is available in all default installations—potentially giving attackers a wide attack surface–and vROPs need not be present to have this endpoint available, according to VMware.

The main threat in terms of exploiting the vulnerability comes from insiders who have penetrated the protection of the network perimeter using other methods–such as social engineering or web vulnerabilities–or have access to the internal network using previously installed backdoors, according to Positive Technologies.

Klyuchnikov said the VMware flaw poses “no less threat” than a notoriously easy-to-exploit Citrix RCE vulnerability, CVE-2019-19781, which was discovered two years ago affecting more than 25,000 servers globally. It is especially dangerous because “it can be used by any unauthorized user,” he said.

“The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server,” Klyuchnikov explained. “After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system, such as information about virtual machines and system users.”

How is CVE-2021-21972 Exploited?

In the case in which vulnerable software can be accessed from the internet, an external attacker can break into a company’s external perimeter and also gain access to sensitive data, he added. This scenario is highly likely based on previous pentests executed by Positive Technologies, which allowed researchers to breach the network perimeter and gain access to local network resources in 93 percent of companies, according to the company.

Another flaw patched by VMware in the update also has potential for remote code execution and affects the hypervisor VMware ESXi , the company said. CVE-2021-21974, with a CVSSv3 base score of 8.9. is a heap-overflow vulnerability in the OpenSLP component as used in an ESXi host.

A threat actor who’s already inside the same network segment as an ESXi host and has access to port 427 can use the vulnerability to trigger the heap-overflow issue in the OpenSLP service, resulting in remote code execution, according to VMware.

The other flaw Klyuchnikov discovered—tracked as CVE-2021-21973 and the least serious of the three–is a Server Side Request Forgery (SSRF) vulnerability due to improper validation of URLs in a vCenter Server plugin with a CVSS score of 5.3, according to VMWare. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure,” the company said.

Unauthorized users can use the flaw to send requests as the targeted server to help threat actors develop further attacks. Used in combination with the other vulnerabilities, attackers could leverage it to scan the company’s internal network and obtain information about the open ports of various services, Klyuchnikov said.

What VMware is Recommending for a Fix to the Data Center Bugs?

VMware advised customers to install all updates provided to affected deployments to remediate the threat the vulnerabilities pose. The company also provided workarounds for those who can’t immediately update their systems.

Positive Technologies also recommended that companies affected who have vCenter Server interfaces on the perimeter of their organizations remove them, and also allocate the interfaces to a separate VLAN with a limited access list in the internal network, the company said.

Is your small- to medium-sized business an easy mark for attackers?

Threatpost WEBINAR:  Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

Suggested articles