A VMware vulnerability with a severity rating of 9.8 out of 10 is currently being exploited. At least one reliable exploit has been made public, and there have been successful attempts in the wild to compromise the servers running the vulnerable software.
The vulnerability, identified as CVE-2021-21985, resides in vCenter Server, a tool for managing virtualization in large data centers. A VMware advisory published last week stated that vCenter machines using default configurations had a bug that in many networks allows malicious code to be executed when the machines are accessed on a port exposed to the Internet.
Code execution, no authentication required
On Wednesday, a researcher released proof of concept code that exploits the flaw. A fellow researcher who asked not to be named said the exploit worked reliably and little additional work was needed to use the code for malicious purposes. It can be reproduced using five requests of cURL, a command line tool that transfers data using HTTP, HTTPS, IMAP, and other common Internet protocols.
Another researcher who tweeted about the published exploit told me he was able to modify it to achieve remote code execution with just one mouse click.
“It will get code execution in the target machine without any authentication mechanism,” the researcher said.
I haz web shell
Researcher Kevin Beaumont, meanwhile, said friday that one of his honeypots, that is, a server connected to the Internet running obsolete software for the researcher to monitor active analysis and exploitation, began to see the analysis by remote systems looking for vulnerable servers.
About 35 minutes later he tweeted, “Oh, one of my honeypots got spilled with CVE-2021-21985 while I was working, I have a web shell (surprised it wasn’t a miner). “
Oh one of my honeypots broke with CVE-2021-21985 while I was working, I haz webshell (surprised it wasn’t a coins miner).
– Kevin Beaumont (@GossiTheDog) June 4, 2021
A web shell is a command line tool that hackers use after successfully executing code on vulnerable machines. Once installed, attackers anywhere in the world have essentially the same control as legitimate administrators.
Troy Mursch from Bad Packages reported Thursday that her honeypot had also started receiving scans. On Friday the scans continued, there mentionned. A few hours after the publication of this article, the Cybersecurity and Infrastructure Security Administration issued an advisory.
He said, “CISA is aware of the likelihood that cyber threat actors will attempt to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were released on May 25, 2021, systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system. “
Activity in the wild is the latest headache for administrators who were already under the barrage of malicious exploits from other serious vulnerabilities. Since the start of the year, various applications used in large organizations have come under attack. In many cases, the vulnerabilities were zero-day vulnerabilities, exploits that were used before companies released a patch.
The attacks included Pulse Secure VPN exploits targeting federal agencies and defense contractors, successful exploits of a code execution flaw in the line of BIG-IP server appliances sold by F5 Networks, based in Seattle, the compromise of Sonicwall firewalls, the use of zero-day in Microsoft Exchange to compromise tens of thousands of organizations in the United States, and the exploitation of organizations running versions of Fortinet VPN that don’t. had not been updated.
Like all of the products exploited above, vCenter resides in potentially vulnerable parts of large enterprise networks. Once the attackers have taken control of the machines, it is often only a matter of time until they can move to parts of the network that allow the installation of spyware or malware. of ransomware.
Administrators responsible for vCenter machines that have not yet updated to CVE-2021-21985 should install the update immediately if possible. It wouldn’t be surprising to see attack volumes crescendo by Monday.
Updated message to add CISA notice.