Very High
VMware vSphere Client Unauth Remote Code Execution Vulnerability — CVE-2021-21972
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
VMware vSphere Client Unauth Remote Code Execution Vulnerability — CVE-2021-21972
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Update March 3: Exploitation in the wild was confirmed over the weekend. See the Rapid7 analysis for more updates.
There are reports of opportunistic scanning for vulnerable vCenter Server endpoints and a bunch of PoC that’s made its way to GitHub over the past twelve hours or so. There hasn’t been confirmation of in-the-wild exploitation yet, but it’s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As @wvu-r7 points out in the Rapid7 analysis, the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I’d be a little surprised if we didn’t see a follow-on CVE at some point for an authentication bypass.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Please see the Rapid7 analysis.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- vmware
Products
- cloud foundation,
- vcenter server 6.5,
- vcenter server 6.7,
- vcenter server 7.0
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- News Article or Blog (https://securityaffairs.co/wordpress/124873/cyber-crime/memento-ransomware-winrar.html)
- Other: Conti Gang Internal Leaks (https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Threat status: Widespread threat
Attacker utility: Network infrastructure compromise
Update Tuesday, March 2, 2021: Community members have confirmed in-the-wild exploitation of CVE-2021-21972 to deliver web shells and malware (credit to @0x80O0oOverfl0w). There are at least four proof-of-concept (PoC) exploits publicly available. vCenter Server customers who have not patched and who have vCenter exposed to the internet should strongly consider conducting incident response investigations.
On Tuesday, February 23, 2021, VMware published a security advisory on three vulnerabilities affecting their vCenter Server, ESXi, and Cloud Foundation products. The most severe of these is CVE-2021-21972, a critical remote code execution vulnerability in the vSphere Client (HTML5) component of VMware vCenter’s vROps plugin. The vulnerability allows an attacker with network access to port 443 to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
The affected vCenter Server plugin for vROps is available in all default installations; vROps does not need to be present to have this endpoint available. CVE-2021-21972 carries a CVSSv3 base score of 9.8. Mikhail Klyuchnikhov of Positive Technologies has technical details available here.
While there have not yet been any reports of exploitation in the wild, there are reports of opportunistic scanning, and several proofs-of-concept (POC) have been published. In-depth technical detail is publicly available as of February 24, 2021. Rapid7 categorizes CVE-2021-21972 as an impending threat, but we expect active and widespread exploitation to occur quickly. We strongly recommend updating to one of the fixed versions VMware has released on an emergency basis, or deploying the workaround immediately if updating is not possible.
Affected products
- vCenter Server 7.x before 7.0 U1c
- vCenter Server 6.7 before 6.7 U3l
- vCenter Server 6.5 before 6.5 U3n
- Cloud Foundation (vCenter Server) 4.x before 4.2
- Cloud Foundation (vCenter Server) 3.x before 3.10.1.2
Rapid7 analysis
vCenter Server is a perennially valuable target for both sophisticated and commodity attackers, and CVE-2021-21972 gives an attacker broad latitude to compromise network infrastructure across affected vCenter installations. Rapid7 researchers have independently analyzed, tested, and confirmed exploitability of the vulnerability: Remote code execution is straightforward using multiple vectors, and our team was able to use an arbitrary file write as the vsphere-ui
user to upload an SSH key or webshell to a vulnerable vCenter Server running on Linux.
Rapid7 researchers began with a copy of the vROps (vRealize Operations) plugin in vCenter Server. While analyzing the plugin’s ServicesController
class, which implements the /ui/vropspluginui/rest/services
endpoints, Rapid7 researchers discovered an endpoint that appeared vulnerable to file upload and path traversal. The /ui/vropspluginui/rest/services/uploadova
endpoint is shown below.
@RequestMapping(value = {"/uploadova"}, method = {RequestMethod.POST}) public void uploadOvaFile(@RequestParam(value = "uploadFile", required = true) CommonsMultipartFile uploadFile, HttpServletResponse response) throws Exception { logger.info("Entering uploadOvaFile api"); int code = uploadFile.isEmpty() ? 400 : 200; PrintWriter wr = null; try { if (code != 200) { response.sendError(code, "Arguments Missing"); return; } wr = response.getWriter(); } catch (IOException e) { e.printStackTrace(); logger.info("upload Ova Controller Ended With Error"); } response.setStatus(code); String returnStatus = "SUCCESS"; if (!uploadFile.isEmpty()) try { logger.info("Downloading OVA file has been started"); logger.info("Size of the file received : " + uploadFile.getSize()); InputStream inputStream = uploadFile.getInputStream(); File dir = new File("/tmp/unicorn_ova_dir"); if (!dir.exists()) { dir.mkdirs(); } else { String[] entries = dir.list(); for (String str : entries) { File currentFile = new File(dir.getPath(), str); currentFile.delete(); } logger.info("Successfully cleaned : /tmp/unicorn_ova_dir"); } TarArchiveInputStream in = new TarArchiveInputStream(inputStream); TarArchiveEntry entry = in.getNextTarEntry(); List<String> result = new ArrayList<String>(); while (entry != null) { if (entry.isDirectory()) { entry = in.getNextTarEntry(); continue; } String parsedFileName = FilenameUtils.getName(entry.getName()); logger.info("Original Path in OVA : " + entry.getName() + " | Parsed Path : " + parsedFileName); File curfile = new File("/tmp/unicorn_ova_dir", parsedFileName); File parent = curfile.getParentFile(); if (!parent.exists()) parent.mkdirs(); OutputStream out = new FileOutputStream(curfile); IOUtils.copy((InputStream)in, out); out.close(); result.add(entry.getName()); entry = in.getNextTarEntry(); } in.close(); logger.info("Successfully deployed File at Location :/tmp/unicorn_ova_dir"); } catch (Exception e) { logger.error("Unable to upload OVA file :" + e); returnStatus = "FAILED"; } wr.write(returnStatus); wr.flush(); wr.close(); }
Rapid7 researchers confirmed that uploading an OVA file containing a path traversal allowed for an arbitrary file write as the vsphere-ui
user on Linux. Writing an SSH key and a webshell were both tested successfully.
Analysis of the patch yielded no changed code, though the endpoints now require authentication. Thus, the vulnerability remains, and either credentialed access or an auth bypass will open up a target to continued exploitation.
Guidance
VMware customers that expose vCenter to the internet on port 443 should immediately restrict access and monitor for signs of suspicious activity. vCenter Server users should apply the workaround and/or update to one of the fixed versions VMware has released as soon as possible; organizations would be well-advised to consider invoking emergency patch procedures given the severity of the vulnerability and the potential for network infrastructure compromise. If you are unable to update to a new fixed version of the software immediately, you can disable the vROps plugin by following VMware’s directions here: https://kb.vmware.com/s/article/82374.
References
https://swarm.ptsecurity.com/unauth-rce-vmware/
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
https://kb.vmware.com/s/article/82374
https://blog.rapid7.com/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: