On February 23, 2021, VMware issued a vulnerability security notice, which showed that several VMware components had high-risk vulnerabilities such as remote code execution, heap overflow and information leakage.
Heart of the Machine reporting, Heart of the Machine editorial Department.
Just a few days ago, a number of Internet companies detected VMware’s official security bulletin, revealing high-risk vulnerabilities including CVE-2021-21972, CVE-2021-21973, and CVE-2021-21974. Attackers can send carefully constructed malicious packets to cause remote execution code and obtain the authority to take over the server, which has great security risks.
The most significant vulnerability disclosed in the bulletin is CVE-2021-21972, a critical remote code execution (RCE) flaw in vCenter Server.
On February 24, the National Information Security Vulnerability Sharing Platform (CNVD) included VMware vCenter Server remote code execution vulnerability (CNVD-2021-12322, Cve-2021-21972), VMware ESXi OpenSLP Heap Overflow vulnerability (CNVD-2021-12321, CVE-2021-21974).
VMware High-risk Vulnerability
Hackers are sweeping the Internet looking for a code execution vulnerability in VMware servers that has a severity rating of 9.8 out of 10.
VMware’s official security notice discloses two high-risk vulnerabilities on vSphere Client and ESXi.
-
Cve-2021-21972: vSphere Client (HTML5) contains a remote execution code vulnerability in vCenter Server plug-in vRealize Operations, CVSSv3 score 9.8. The affected vRealize Operations plug-in is installed by default.
-
Cve-2021-21974: OpenSLP used by ESXi has heap overflow vulnerability, CVSSv3 score 8.8. An attacker that is on the same network segment as ESXi and has access to port 427 can trigger a heap overflow in the OpenSLP service, causing remote code execution.
Cve-2021-21974 is a remote code execution vulnerability in VMware vCenter Server, which is a Windows or Linux application used by administrators to enable and manage virtualization of large networks. Within a day of VMware’s patch release, at least six different sources had a proof-of-concept vulnerability. The severity of the vulnerability, coupled with the availability of exploitable vulnerabilities on both Windows and Linux machines, has hackers scrambling to find vulnerable servers.
Quality scan activity for CVE-2021-21972 was detected within one day
On Feb. 24, the day after VMware made its announcement, Troy Mursch, chief research officer at Bad Packets, tweeted that it had detected large-scale scanning activity for vulnerable vCenter Servers.
The BinaryEdge search engine found nearly 15,000 vCenter servers exposed on the Internet, while Shodan found about 6,700, Mursch said. The large-scale scan is aimed at identifying servers that have not yet installed the patch, which VMware released on Tuesday.
The vulnerability resulted in unrestricted remote code execution permissions
According to Tenable, CVE-2021-21972 allows hackers to upload files without authorization to vulnerable vCenter servers that are publicly accessible through port 443. Successful exploitation of the vulnerability would result in the hacker gaining unrestricted access to remote code execution in the underlying operating system. The vulnerability stems from a lack of authentication in the default installed vRealize action plug-in.
The vulnerability has a severity score of 9.8 out of 10.0 on the Common Vulnerability Scoring System (CVSS) Version 3.0. Mikhail Klyuchnikov of Positive Technologies, who discovered the vulnerability and privately reported it to VMware, compared the risks of CVE-2021-21972 with those of CVE-2019-19781. Cve-2019-19781 is a critical vulnerability in Citrix’s application delivery controller.
Early last year, researchers discovered a serious vulnerability — CVE-2019-19781 — in Citrix ADCs and Citrix gateway devices. Unauthorized attackers can exploit the vulnerability to gain access to devices. While no details were released about the vulnerability, Citrix’s announcement gave some clues about the type of vulnerability.
Cve-209-19781 vulnerability exists in path/VPNS /, so this could be a directory traversal vulnerability.
Earlier, Klyuchnikov wrote in the article VMware Fixes Dangerous vulnerabilities that Threaten many large Companies:
In our opinion, RCE vulnerability in vCenter Server is no less of a threat than vulnerability in Citrix (CVE-2019-19781). This error allows unauthorized users to send a special crafted request that will later give them a chance to execute an arbitrary command on the server. Given such an opportunity, an attacker can launch an attack, successfully move across the corporate network and gain access to data stored in the attacked system, such as information about virtual machines and system users. If vulnerable software can be accessed from the Internet, this allows external attackers to penetrate the company’s external borders and access sensitive data. I want to point out again that this vulnerability is dangerous because it can be used by any unauthorized user.
Bug fix
Cve-2021-21972 affects vCenter Servers of versions 6.5, 6.7, and 7.01. Users should update to the secure version as soon as possible when using one of these versions:
-
Upgrade vCenter Server 7.0 to 7.0.u1c.
-
Upgrade vCenter Server 6.7 to 6.7.u3L.
-
VCenter Server 6.5 is upgraded to 6.5U3N.
Users who cannot install the patch immediately should use the Workaround Instructions provided in VMware vCenter Server Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 (82374). This includes changing the compatibility list file and setting the vRealize plug-in to be incompatible. Administrators who expose vCenter Servers directly to the Internet should strongly consider curbing this practice, or at least using a VPN.
Reference links:
Zh-cn.tenable.com/blog/cve-20…
Arstechnica.com/information…
www.vmware.com/security/ad…