Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
12

VMware vSphere Client Unauth Remote Code Execution Vulnerability — CVE-2021-21972

Disclosure Date: February 24, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

Add Assessment

4
Ratings
Technical Analysis

Update March 3: Exploitation in the wild was confirmed over the weekend. See the Rapid7 analysis for more updates.

There are reports of opportunistic scanning for vulnerable vCenter Server endpoints and a bunch of PoC that’s made its way to GitHub over the past twelve hours or so. There hasn’t been confirmation of in-the-wild exploitation yet, but it’s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As @wvu-r7 points out in the Rapid7 analysis, the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I’d be a little surprised if we didn’t see a follow-on CVE at some point for an authentication bypass.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • vmware

Products

  • cloud foundation,
  • vcenter server 6.5,
  • vcenter server 6.7,
  • vcenter server 7.0
Technical Analysis

Threat status: Widespread threat
Attacker utility: Network infrastructure compromise

Update Tuesday, March 2, 2021: Community members have confirmed in-the-wild exploitation of CVE-2021-21972 to deliver web shells and malware (credit to @0x80O0oOverfl0w). There are at least four proof-of-concept (PoC) exploits publicly available. vCenter Server customers who have not patched and who have vCenter exposed to the internet should strongly consider conducting incident response investigations.

On Tuesday, February 23, 2021, VMware published a security advisory on three vulnerabilities affecting their vCenter Server, ESXi, and Cloud Foundation products. The most severe of these is CVE-2021-21972, a critical remote code execution vulnerability in the vSphere Client (HTML5) component of VMware vCenter’s vROps plugin. The vulnerability allows an attacker with network access to port 443 to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

The affected vCenter Server plugin for vROps is available in all default installations; vROps does not need to be present to have this endpoint available. CVE-2021-21972 carries a CVSSv3 base score of 9.8. Mikhail Klyuchnikhov of Positive Technologies has technical details available here.

While there have not yet been any reports of exploitation in the wild, there are reports of opportunistic scanning, and several proofs-of-concept (POC) have been published. In-depth technical detail is publicly available as of February 24, 2021. Rapid7 categorizes CVE-2021-21972 as an impending threat, but we expect active and widespread exploitation to occur quickly. We strongly recommend updating to one of the fixed versions VMware has released on an emergency basis, or deploying the workaround immediately if updating is not possible.

Affected products

  • vCenter Server 7.x before 7.0 U1c
  • vCenter Server 6.7 before 6.7 U3l
  • vCenter Server 6.5 before 6.5 U3n
  • Cloud Foundation (vCenter Server) 4.x before 4.2
  • Cloud Foundation (vCenter Server) 3.x before 3.10.1.2

Rapid7 analysis

vCenter Server is a perennially valuable target for both sophisticated and commodity attackers, and CVE-2021-21972 gives an attacker broad latitude to compromise network infrastructure across affected vCenter installations. Rapid7 researchers have independently analyzed, tested, and confirmed exploitability of the vulnerability: Remote code execution is straightforward using multiple vectors, and our team was able to use an arbitrary file write as the vsphere-ui user to upload an SSH key or webshell to a vulnerable vCenter Server running on Linux.

Rapid7 researchers began with a copy of the vROps (vRealize Operations) plugin in vCenter Server. While analyzing the plugin’s ServicesController class, which implements the /ui/vropspluginui/rest/services endpoints, Rapid7 researchers discovered an endpoint that appeared vulnerable to file upload and path traversal. The /ui/vropspluginui/rest/services/uploadova endpoint is shown below.

  @RequestMapping(value = {"/uploadova"}, method = {RequestMethod.POST})
  public void uploadOvaFile(@RequestParam(value = "uploadFile", required = true) CommonsMultipartFile uploadFile, HttpServletResponse response) throws Exception {
	logger.info("Entering uploadOvaFile api");
	int code = uploadFile.isEmpty() ? 400 : 200;
	PrintWriter wr = null;
	try {
  	if (code != 200) {
    	response.sendError(code, "Arguments Missing");
    	return;
  	}
  	wr = response.getWriter();
	} catch (IOException e) {
  	e.printStackTrace();
  	logger.info("upload Ova Controller Ended With Error");
	}
	response.setStatus(code);
	String returnStatus = "SUCCESS";
	if (!uploadFile.isEmpty())
  	try {
    	logger.info("Downloading OVA file has been started");
    	logger.info("Size of the file received  : " + uploadFile.getSize());
    	InputStream inputStream = uploadFile.getInputStream();
    	File dir = new File("/tmp/unicorn_ova_dir");
    	if (!dir.exists()) {
      	dir.mkdirs();
    	} else {
      	String[] entries = dir.list();
      	for (String str : entries) {
        	File currentFile = new File(dir.getPath(), str);
        	currentFile.delete();
      	}
      	logger.info("Successfully cleaned : /tmp/unicorn_ova_dir");
    	}
    	TarArchiveInputStream in = new TarArchiveInputStream(inputStream);
    	TarArchiveEntry entry = in.getNextTarEntry();
    	List<String> result = new ArrayList<String>();
    	while (entry != null) {
      	if (entry.isDirectory()) {
        	entry = in.getNextTarEntry();
        	continue;
      	}
      	String parsedFileName = FilenameUtils.getName(entry.getName());
      	logger.info("Original Path in OVA : " + entry.getName() + " | Parsed Path : " + parsedFileName);
      	File curfile = new File("/tmp/unicorn_ova_dir", parsedFileName);
      	File parent = curfile.getParentFile();
      	if (!parent.exists())
        	parent.mkdirs();
      	OutputStream out = new FileOutputStream(curfile);
      	IOUtils.copy((InputStream)in, out);
      	out.close();
      	result.add(entry.getName());
      	entry = in.getNextTarEntry();
    	}
    	in.close();
    	logger.info("Successfully deployed File at Location :/tmp/unicorn_ova_dir");
  	} catch (Exception e) {
    	logger.error("Unable to upload OVA file :" + e);
    	returnStatus = "FAILED";
  	}
	wr.write(returnStatus);
	wr.flush();
	wr.close();
  }

Rapid7 researchers confirmed that uploading an OVA file containing a path traversal allowed for an arbitrary file write as the vsphere-ui user on Linux. Writing an SSH key and a webshell were both tested successfully.

Analysis of the patch yielded no changed code, though the endpoints now require authentication. Thus, the vulnerability remains, and either credentialed access or an auth bypass will open up a target to continued exploitation.

Guidance

VMware customers that expose vCenter to the internet on port 443 should immediately restrict access and monitor for signs of suspicious activity. vCenter Server users should apply the workaround and/or update to one of the fixed versions VMware has released as soon as possible; organizations would be well-advised to consider invoking emergency patch procedures given the severity of the vulnerability and the potential for network infrastructure compromise. If you are unable to update to a new fixed version of the software immediately, you can disable the vROps plugin by following VMware’s directions here: https://kb.vmware.com/s/article/82374.

References

https://swarm.ptsecurity.com/unauth-rce-vmware/
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
https://kb.vmware.com/s/article/82374
https://blog.rapid7.com/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/