On the 25th of May 2021, VMware published an advisory warning of two vulnerabilities – CVE-2021-21985 and CVE-2021-21986 – in their vCenter Server and Cloud Foundation products. Researchers at Cyber Security Works (CSW) analysed these vulnerabilities from a Pentester’s perspective and here is their verdict.
“If not patched, a hacker could exploit CVE-2021-21985 to execute commands with unrestricted privileges on the host operating system and compromise the same.”
A Pentester’s Perspective
Malicious Attackers on the Hunt for Unpatched VMware vCenter Versions
A week after CSW’s analysis of CVE-2021-21985, our prediction about attackers targeting unpatched VMware vCenter versions is coming true. Recently, a security researcher published a proof of concept Remote Code Execution (RCE) exploit code on June 2, 2021. Two days later, CISA noticed that threat actors were scouring the Internet for unpatched vCenter servers to misuse the vulnerability. Further attempts were also identified in the wild, where attackers tried to compromise servers that ran vulnerable software versions.
CVE-2021-21985 : Why is it so dangerous?
According to Packetstorm, the vulnerability can be remotely exploited by an attacker, and used to run custom code to gain unauthenticated access.
The CVE has a CVSS V3 score of 9.8, making it a highly critical vulnerability.
The CVE is a manifestation of Common Weakness Enumeration – 20 (CWE – 20), the third most dangerous software weakness of 2020, according to MITRE. This vulnerability could lead to improper or incorrect validation of a user’s request, and processing unsafe data.
The CVE has been trending in the wild since May 25th 2021, which was when the vulnerability was disclosed by VMware.
The CVE is seen trending in North America, Europe and the Asia-Pacific (APAC) region.
The vulnerability is seen in multiple software versions of VMware vCenter, an advanced server management tool providing a centralized platform for controlling vSphere environments, for visibility across hybrid clouds.
22 versions of vCenter server are found to be affected by the CVE – versions 6.5, 6.5 U1, 6.5 U3, 6.5 U3n, 6.5.0, 6.5.0a, 6.5.0b, 6.5.0c, 6.5.0d, 6.5u2c, 6.7, 6.7 U3, 6.7 U3l, 6.7 U3m, 6.7.0, 6.7.0d, 6.7u3f, 7.0, 7.0 U1a, 7.0 U1b, 7.0 U1c and 7.0 U2a.
The vulnerability is also seen to impact VMware Cloud Foundation (VCF) which provides multiple cloud services – compute virtualization, storage virtualization, network virtualization and cloud management and monitoring – via a single platform, based on a shared security responsibility model.
15 versions of VCF that include versions 3.0, 3.0.1, 188.8.131.52, 3.5, 3.5.1, 3.7, 3.7.1, 3.7.2, 3.8, 3.9, 3.9.1, 3.10, 184.108.40.206, 4.0 and 4.2 are impacted.
VMware has released updated versions after fixing the vulnerability for each of the affected products, and provided workarounds as well. These can be found in their advisory page.
What is the Global Exposure?
A global exposure analysis using Shodan shows that many product versions with the vulnerability are being widely used.
There are 5342 instances of VMware vCenter Server exposed to the Internet, with around 25% of the instances being found in the United States.
5127 instances of port 443 are prone to being exploited by attackers, the top most entry point for an attack that could compromise the host operating system even. Ports 8443, 9443, 4443 and 444 could also serve as possible attack vectors.
VMware vCenter server version 6.7 seems to be the most used product with over 2000 instances spread across the United States, Germany, China, Turkey and the United Kingdom.
Prioritise the patch to avoid another Darkside
From our analysis of the new 2021 vulnerability CVE-2021-21985, it is clear that the CVE could be used in any ransomware attack. In our Ransomware Report we published in the first half of May 2021, we noticed how Darkside exploited a newly trending vulnerability and added it to its weaponry within 8 days of the CVE being discovered. We urge you to patch this vulnerability and proactively defend against cyberattacks.
Bogged down by a long list of vulnerabilities? Not sure where to start?