Threat actors target VMware vCenter Server users

VMware has released a series of patches addressing various vulnerabilities in its vCenter Server products (versions 6.5, 6.7 and 7.0) which should be applied immediately, as the ramifications for users are serious, and malicious actors are already known to be sniffing around.

The patches address a total of 19 vulnerabilities, listed here for convenience, of which the most serious appears to be CVE-2021-22005, a file upload vulnerability that has been assigned a critical CVSSv3 base score of 9.8.

A threat actor with network access to port 443 on vCenter Server would be able to exploit this vulnerability to run code on vCenter Server by uploading a specially crafted file. Note this vulnerability is not present in version 6.5.

Other vulnerabilities with CVSSv3 scores of 8 and above include CVE-2021-21991, a local privilege escalation vulnerability; CVE-2021-22006, a reverse proxy bypass vulnerability; and CVE-2021-22011, an unauthenticated API endpoint vulnerability. These vulnerabilities were discovered and disclosed to VMware by SolidLab’s George Noseevich and Sergey Gerasimov, and Hynek Petrak of Schneider Electric.

“These updates fix a critical security vulnerability, and your response needs to be considered at once,” VMware’s Bob Plankers said in a blog post.

“Organisations that practise change management using the ITIL definitions of change types would consider this an ‘emergency change’. All environments are different, have different tolerance for risk, and have different security controls and defence-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act.”

Some of the other vulnerabilities with lower scores could still be useful to an attacker who has already obtained access to an organisation’s network and should not be discounted.

VMware has made available a central hub resource for those affected by the vCenter Server vulnerabilities, which can be accessed here.

ESET’s Jake Moore commented: “As threat actors improve on their speed in reacting to real-world vulnerabilities, it is strongly advised to act quickly in updating with the antidote to these flaws before it’s too late.

“Although there are no current reports on any exploitation, this can change without a moment’s notice in times of very sophisticated adversaries looking to take advantage of unpatched weaknesses. Furthermore and for extra protection, any network access to critical infrastructure should ideally only be carried out via a VPN.”

Chris Sedgewick, director of security operations at Talion, added: “Due to its global prevalence, VMWare is a lucrative platform for attackers to target, and recently VMWare exploits have been extremely popular, with sophisticated state-backed groups and intelligence services utilising them to assist in the successful execution of their campaigns.

“Back in May, a similar exploit in vCenter was disclosed after Russian threat groups were exploiting it. Therefore, it is especially important for users to take swift action by quickly follow the recommended actions and implement the security updates for VMWare.”