VMware vCenter Server Vulnerability
By Frank Wood on October 7, 2021
(By: Frank Wood on September 30, 2021)
Executive Summary
VMware vCenter is a server management software that is “centrally visible, simplified and efficient management at scale, and extensibility across the hybrid cloud – all from a single console” [5]. With the large-scale capability of running 2,000 hosts and 35,000 virtual environments from a centralized location, coupled with the ability to scale up to 5,000 hosts and 70,000 virtual environments, VMware vCenter offers solutions for server management that is desirable to organizations like Raytheon, Northrop Grumman, ECS Federal, and BAE Systems.
On September 21, 2021, VMware issued an advisory for its vCenter Server versions 6.5, 6.7, 7.0, and its vCloud Foundation versions 3.x and 4.x, stating that 19 vulnerabilities were discovered. These vulnerabilities ranged from privilege escalation and denial of service to information disclosure and path traversal [3][4]. Of the 19 vulnerabilities, nine (9) were listed as “Moderate,” nine (9) were listed as “Important,” and one (1) was listed as “Critical” [3]. The “Critical” vulnerability is CVE-2021-22005 with a common vulnerability score system (CVSS) of 9.8 [2].
On September 24, 2021, VMware confirmed reported that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, Cybersecurity and Infrastructure Security Agency (CISA) expects widespread exploitation of this vulnerability [1].
Vulnerability
CVE-2021-22005 is a file upload vulnerability in the vCenter Server. An unauthenticated attacker accessing port 443 over the same network or directly from the internet could exploit a vulnerable vCenter Server by uploading a file to the vCenter Server analytics service. Successful exploitation would result in remote code execution on the host [3].
Impact
Due to the wide range of vulnerabilities detected, large-scale organizations that utilize VMware vCenter or vCloud Foundation are at a significant disadvantage due to the number of systems and virtual environments running. If a cyber actor was to exploit the file upload vulnerability, they could very well take down thousands of systems and not to mention disrupt entire industries in the process.
Mitigation
The mitigation for these vulnerabilities is as follows:
vCenter Server 7.0 – Patch to vCenter Server 7.0 U2d [4].
vCenter Server 6.7 – Patch to vCenter Server 6.7 U3o [4]
vCenter Server 6.5 – Patch to vCenter Server 6.5 U3q [4].
VMware vCloud Foundation 4.x – Patch to VMware vCloud Foundation 4.3.1[4].
VMware vCloud Foundation 3.x – Patch to VMware vCloud Foundation 3.10.2.2 [4].
References
[1] CISA. (September 16, 2021). “VMware vCenter Server Vulnerability CVE-2021-22005 Under Active Exploit.” us-cert.cisa.gov. Accessed September 28, 2021. https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active.
[2] Malwarebytes Labs. (September 22, 2021). “Patch vCenter Server “Right Now,” VMWare Expects CVE-2021-22005 Exploitation Within Minutes of Disclosure.” blog.malwarebytes.com. Accessed September 28, 2021. https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/.
[3] Narang, S. (September 22, 2021). “CVE-2021-22005: Critical File Upload Vulnerability in VMware vCenter Serve.” Tenable.com. Accessed September 28, 2021. https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server.
[4] VMware. (September 21, 2021). “Advisory ID: VMSA-2021-0020.1.” vmware.com. Accessed September 28, 2021. https://www.vmware.com/security/advisories/VMSA-2021-0020.html.
[5] VMware. (n.d.). “vCenter Server.” vmware.com. Accessed September 28, 2021. https://www.vmware.com/products/vcenter-server.html.