A VMware vulnerability with a severity of 9.8 out of 10 is actively being exploited. At least one reliable exploit has been published and successful attempts have been made to compromise servers running the vulnerable software.
The vulnerability, tracked as CVE-2021-21985, is in the vCenter Server, a tool used to manage virtualization in large data centers. A VMware advisory released last week said that vCenter machines using standard configurations have a bug that allows malicious code to run on many networks if the machines are reachable through a port exposed to the Internet is.
Code execution, no authentication required
On Wednesday, a researcher released a proof-of-concept code that exploited the bug. A fellow researcher, who did not want to be named, said the exploit worked reliably and that little additional work was required to use the code for malicious purposes. It can be replicated with five requests from cURL, a command line tool that transfers data over HTTP, HTTPS, IMAP, and other popular internet protocols.
Another researcher, who tweeted about the published exploit, told me he could modify it to allow remote code execution with a single click of the mouse.
“It will get the code execution on the target computer with no authentication mechanism,” said the researcher.
I have a web shell
Researcher Kevin Beaumont said Friday that one of his honeypots – an internet-connected server that runs outdated software so the researcher can actively scan and monitor yields – has started seeing scans by remote systems looking for it Find vulnerable servers.
About 35 minutes later, he tweeted, “Oh, one of my honeypots got popped while working with CVE-2021-21985, I have a web shell (surprised it’s not a coin miner).”
Oh, one of my honeypots got popped while working with CVE-2021-21985, I have webshell (surprised it’s not a coin miner).
– Kevin Beaumont (@GossiTheDog) June 4, 2021
A web shell is a command line tool that hackers use after successfully achieving code execution on vulnerable computers. Once installed, attackers anywhere in the world have essentially the same control as legitimate administrators.
Troy Mursch from Bad Packets reported on Thursday that his honeypot had also received scans. The scans continued on Friday, he said. A few hours after this post went live, the Cybersecurity and Infrastructure Security Administration posted a recommendation.
It stated: “CISA is aware of the likelihood that cyber threat actors will attempt to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to gain control of an unpatched system. “
The activity in the wild is currently a headache for administrators who have already been threatened by malicious exploits from other serious vulnerabilities. Various apps from large organizations have been under attack since the beginning of the year. In many cases, the vulnerabilities were zero-days, exploits that were used before companies released a patch.
The attacks included Pulse Secure VPN exploits targeting federal agencies and defense companies, successful exploits of a code execution flaw in the BIG-IP line of server appliances sold by Seattle-based F5 Networks, the compromise of Sonicwall -Firewalls, the use of zero-days in Microsoft Exchange to put tens of thousands of organizations at risk in the US, and the exploitation of organizations using non-updated versions of the Fortinet VPN.
Like all of the above exploited products, vCenter resides in potentially vulnerable parts of large enterprise networks. Once attackers have gained control of the machines, it is often only a matter of time before they reach parts of the network that allow spy malware or ransomware to be installed.
Administrators responsible for vCenter machines that still need to patch CVE-2021-21985 should install the update immediately if possible. It wouldn’t be surprising to see a crescendo in attack numbers by Monday.
Updated post to add CISA notice.