By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

PoC Released For New VMware vCenter Vulnerability

On the tail of VMware disclosing that its vCenter Server is affected by an arbitrary file upload vulnerability, a proof of concept for exploiting the flaw has been released.

Background

A new Proof of Concept impacting VMware vCenter has been released by Rapid7 engineer William Vu. The PoC exploits CVE-2021-22005, a critical vulnerability announced by VMware last week. The researcher was able to create a reverse shell into the vCenter console and achieve arbitrary remote code execution (RCE).

Vulnerability Details

CVE-2021-22005 allows for an arbitrary file upload using the CEIP (Analytics) service. This is enabled by default and VMware states that disabling the analytics service is not a sufficient mitigation strategy.

By uploading a specially crafted file, arbitrary code execution is possible. The attacker only needs to have network access to the device over port 443 to deliver the payload.

It is recommended that you review the advisory and FAQ from VMware on this vulnerability for more details.

Affected versions

vCenter Server 6.5, 6.7, and 7.0.

Mitigation

VMWare suggests upgrading VMWare vCenter to 7.0 Update 2c as soon as possible.
 
A workaround is documented if upgrading is not possible in a timely manner (KB85717 linked below).
 
Given the network based attack vector, this vulnerability highlights the importance of good network hygene, including network segmentation of management interfaces and disabling unused ports using firewalls and ACLs.

Resources

Security Advisory form VMware (VMSA-2021-0020):
https://www.vmware.com/security/advisories/VMSA-2021-0020.html

Workaround Instructions from VMWare:
https://kb.vmware.com/s/article/85717

FAQ from VMWare regarding CVE-2021-22005 With Extensive Details:
https://core.vmware.com/vmsa-2021-0020-questions-answers-faq

CISA Advisory:
https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active

Mitre Entry:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22005

Previous Post

Netgear Warns Certain Routers Impacted by Remote Code Execution Vulnerability

Next Post

Hikvision Cameras RCE Vulnerability Requires a Firmware Update

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.