VMware has addressed a number of critical remote code execution (RCE) vulnerabilities in VMware ESXi and the vSphere Client virtual infrastructure management platform that could allow attackers to execute arbitrary commands and take control of the affected systems.
“A malicious actor with network access to port 443 may take advantage of this issue to execute commands with unlimited privileges on the underlying operating system that supports vCenter Server,” the company said in its advisor.
The vulnerability, which is tracked as CVE-2021-21972, has a CVSS score of 9.8 out of a maximum of 10, meaning it is of utmost importance in terms of severity.
“In our opinion, RCE vulnerability in the vCenter Server can be no less of a threat than the malicious vulnerability in Citrix (CVE-2019-19781),” said Mikhail Klyuchnikov, Positive Technologies, who discovered and reported the defect to VMware .
“The error allows an unauthorized user to send a specially crafted application, which will later allow them to execute arbitrary commands on the server.”
With this access in place, the attacker can then successfully navigate through the corporate network and gain access to the data stored in the vulnerable system, such as virtual machine information and system users, Klyuchnikov noted.
Besides, a second vulnerability (CVE-2021-21973, CVSS score 5.3) allows unauthorized users to send POST requests, allowing an adversary to conduct further attacks, including the ability to scan the company’s internal network and retrieve specific port details open various services.
The information disclosure issue, according to VMware, stems from an SSRF (Server-Side Application Forgery) vulnerability due to improper authentication of URLs in the vCenter Server plugin.
VMware has also provided remits to temporarily restore CVE-2021-21972 and CVE-2021-21973 until the updates can be used. Detailed steps can be found here.
It is worth noting that VMware corrected command injection vulnerability in its vSphere Duplication product (CVE-2021-21976, CVSS score 7.2) earlier this month that could give a bad actor administrative privileges to execute shell orders and execute RCE.
Finally, VMware also resolved an overflow heap bug (CVE-2021-21974, CVSS score 8.8) in the ESXi service location protocol (SLP), possibly allowing an attacker on the same network to send malicious SLP requests to an ESXi device and take control. of it.
OpenSLP provides a framework to allow networking applications to discover the existence, location, and configuration of network services in enterprise networks.
The latest fix for the ESXi OpenSLP comes on the heels of a similar patch (CVE-2020-3992) last November that could be leveraged to trigger back-end use of the OpenSLP service, leading to remote code execution.
Shortly thereafter, reports of active exploitation efforts emerged in the wild, with ransomware gangs abuse the vulnerability to take over unmatched virtual machines used in enterprise environments and encrypt their virtual hard drives.
It is strongly recommended that users install the updates to eliminate the risk associated with the defects, as well as “remove vCenter Server interfaces from the perimeter of organizations, if they exist, and allocate them to a separate VLAN with access list limited in the internal network. “