On the tail of VMware disclosing that its vCenter Server is affected by an arbitrary file upload vulnerability, a proof of concept for exploiting the flaw has been released.
Background
A new Proof of Concept impacting VMware vCenter has been released by Rapid7 engineer William Vu. The PoC exploits CVE-2021-22005, a critical vulnerability announced by VMware last week. The researcher was able to create a reverse shell into the vCenter console and achieve arbitrary remote code execution (RCE).
Vulnerability Details
CVE-2021-22005 allows for an arbitrary file upload using the CEIP (Analytics) service. This is enabled by default and VMware states that disabling the analytics service is not a sufficient mitigation strategy.
By uploading a specially crafted file, arbitrary code execution is possible. The attacker only needs to have network access to the device over port 443 to deliver the payload.
It is recommended that you review the advisory and FAQ from VMware on this vulnerability for more details.
Affected versions
vCenter Server 6.5, 6.7, and 7.0.
Mitigation
VMWare suggests upgrading VMWare vCenter to 7.0 Update 2c as soon as possible.
A workaround is documented if upgrading is not possible in a timely manner (KB85717 linked below).
Given the network based attack vector, this vulnerability highlights the importance of good network hygene, including network segmentation of management interfaces and disabling unused ports using firewalls and ACLs.
Resources
Security Advisory form VMware (VMSA-2021-0020):
https://www.vmware.com/security/advisories/VMSA-2021-0020.html
Workaround Instructions from VMWare:
https://kb.vmware.com/s/article/85717
FAQ from VMWare regarding CVE-2021-22005 With Extensive Details:
https://core.vmware.com/vmsa-2021-0020-questions-answers-faq
CISA Advisory:
https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active
Mitre Entry:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22005
