{"id":7504,"date":"2021-09-27T19:40:03","date_gmt":"2021-09-28T02:40:03","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7504"},"modified":"2023-04-05T12:38:00","modified_gmt":"2023-04-05T19:38:00","slug":"critical-vmware-vulnerability-patch-cve-2021-22005-now","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/critical-vmware-vulnerability-patch-cve-2021-22005-now\/","title":{"rendered":"Critical VMware Vulnerability: Patch CVE-2021-22005 Now!"},"content":{"rendered":"<p><strong>{Updated on October 07, 2021}:<\/strong> A full working redacted <a href=\"https:\/\/securityaffairs.co\/wordpress\/122686\/hacking\/cve-2021-22005-exploit-vmware-vcenter.html\">Proof of Concept<\/a> was released by an independent researcher, William Vu, on September 28, 2021. Within a few hours of the release of the proof of concept, cybercriminals were observed using the unredacted proof-of-concept in active exploits.<\/p>\n<p dir=\"ltr\">The proof of concept is separate from the partial POC released by Jang. This version can allow remote attackers to execute arbitrary code by using a reverse shell on a vulnerable server. The vulnerability can then be exploited by unauthenticated users remotely and allow attackers to upload a specially-crafted file to the vCenter Server Analytics Service. Since the <a href=\"https:\/\/www.vmware.com\/security\/advisories\/VMSA-2021-0020.html\">patch<\/a> to the critical vulnerability is already available, we recommend urgent patching of servers.<\/p>\n<p dir=\"ltr\">We urge organizations to continuously update all their enterprise assets so as not to be at risk of a ransomware attack.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 500px; height: 311px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/vmware-infographic.png\" alt=\"VMware Vulnerability Timeline of Events\" \/><\/p>\n<p><strong>On September 21, 2021, VMware published an <a href=\"https:\/\/www.vmware.com\/security\/advisories\/VMSA-2021-0020.html\">advisory<\/a> warning of nineteen vulnerabilities in their vCenter Server. <\/strong><strong>Of the nineteen vulnerabilities, one CVE stands out as being extremely critical and potential to be exploited by ransomware\u2014CVE-2021-22005.<\/strong><\/p>\n<p dir=\"ltr\">Researchers at Cyber Security Works (CSW) analyzed these vulnerabilities from a Pentester\u2019s perspective and here is their verdict.<\/p>\n<blockquote>\n<p dir=\"ltr\"><strong>&#8220;Any malicious actor who has network access to port 443 on vCenter Server can exploit CVE-2021-22005 easily and execute code by uploading a maliciously crafted file.&#8221;<\/strong><br \/>\n~ A Pentester\u2019s Perspective<\/p>\n<\/blockquote>\n<h3 dir=\"ltr\"><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrWm5Lr5Fq9qbklV?backgroundColor=blue&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/h3>\n<h2 dir=\"ltr\"><strong>Attackers Actively Scanning CVE-2021-22005\u00a0<\/strong><\/h2>\n<p dir=\"ltr\">VMware products have been seeing several critical vulnerabilities in the last couple of weeks. After <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-21985\" target=\"_blank\" rel=\"noopener\">CVE-2021-21985<\/a>, which also affects vCenter versions, this week\u2019s critical vulnerability needs to be patched on priority before it can be exploited.<\/p>\n<p dir=\"ltr\"><strong>Our expert pentesters identified that CVE-2021-22005 is being <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-exploiting-critical-vmware-vcenter-cve-2021-22005-bug\/\" target=\"_blank\" rel=\"noopener\">actively scanned<\/a> by threat actors and can have a massive impact if a ransomware gang has access to port 443.\u00a0<\/strong><\/p>\n<h2 dir=\"ltr\"><strong>Why is CVE-2021-22005 so dangerous?<\/strong><\/h2>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The vulnerability is an arbitrary file upload flaw that can allow an attacker to upload a specially crafted file remotely.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The CVE has a CVSS v3 score of <strong>9.8<\/strong>, making it an extremely critical vulnerability.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Successful exploitation of the vulnerability would allow remote code execution of the host. As VMware notes in a <a href=\"https:\/\/blogs.vmware.com\/vsphere\/2021\/09\/vmsa-2021-0020-what-you-need-to-know.html\" target=\"_blank\" rel=\"noopener\">blog post<\/a>, the vulnerability exists in vCenter Server in spite of configuration settings, therefore making the vulnerability exploitable by default in affected vCenter Server versions.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The CVE had not been assigned a CWE by NVD when this article was written.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The CVE has been trending in the wild since September 21, 2021, which was when the vulnerability was disclosed by VMware.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The CVE is seen <a href=\"https:\/\/trends.google.com\/trends\/explore?date=now%207-d&amp;q=CVE-2021-22005\" target=\"_blank\" rel=\"noopener\">trending<\/a> in Asia-Pacific (APAC) region, specifically Singapore and Australia, and also in North America, Brazil, and parts of Europe.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">VMware issued a temporary <a href=\"https:\/\/kb.vmware.com\/s\/article\/85717\" target=\"_blank\" rel=\"noopener\">workaround<\/a> for the vulnerability on September 22.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">A <a href=\"https:\/\/testbnull.medium.com\/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee\" target=\"_blank\" rel=\"noopener\">partial PoC<\/a> was released by a researcher called Jang on September 24. It was left partial so that companies have enough time to patch the vulnerability.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\" style=\"text-align: center;\"><b id=\"docs-internal-guid-8f2914f9-7fff-b07b-bf89-87bf472202dc\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/xfb2O0cTTyHhDUMHSpjeulp9E-Ue9-dZJP3jWJn0zYTt0E5vZYMP0-jl-j3acGXPs9Ezt-rVernJjVMocYKh1KdRUYoPd45TW90K2vAlr1aUU9Ch-y-aClNzzHGxKqUaoJ96y9vS=s0\" width=\"602\" height=\"355\" \/><\/b><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><b><a href=\"https:\/\/trends.google.com\/trends\/explore?date=now%207-d&amp;q=CVE-2021-22005\">Trending regions for CVE-2021-22005<\/a><\/b><\/p>\n<p dir=\"ltr\"><b id=\"docs-internal-guid-8f2914f9-7fff-b07b-bf89-87bf472202dc\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/b><\/p>\n<h2 dir=\"ltr\"><strong>Vulnerable Products<\/strong><\/h2>\n<p dir=\"ltr\">The primary products that are most vulnerable to <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-22005\" target=\"_blank\" rel=\"noopener\">CVE-2021-22005<\/a> are vCenter Server versions 6.7, and 7.0. Shodan exposure details show that v7.0.1 and v7.0.2 are also affected by the vulnerability.<\/p>\n<p dir=\"ltr\">We urge organizations using VMware vCenter Servers to check if their server version is vulnerable by running the <a href=\"https:\/\/kb.vmware.com\/s\/article\/85717\" target=\"_blank\" rel=\"noopener\">script<\/a> recommended by VMware and update their servers thereafter to the newest versions after applying the <a href=\"https:\/\/kb.vmware.com\/s\/article\/85717\" target=\"_blank\" rel=\"noopener\">workaround<\/a> to the vulnerability.<\/p>\n<h2 dir=\"ltr\"><strong>What is the Global Exposure?\u00a0<\/strong><\/h2>\n<p dir=\"ltr\">A global exposure analysis using Shodan shows that many product versions with the vulnerability are being widely used.<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">There are 6611 instances of VMware vCenter Server exposed to the Internet, with around 40% of the instances being found in the United States alone.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\">\u00a0 \u00a0 \u00a0 \u00a0<b id=\"docs-internal-guid-a646bbab-7fff-ec51-ecce-9dcfdf8f9256\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/VqFzUM0_ZIfch86DhaSPH-H2ai7-WfvgP8i8Ukp375vbl1-OQwIUbMhnUh_IotKk7_0nzJRD1pK8j6VNsvTCSjorbgJ23gehTg0_Sl3mS2Zsi5_Uu4alOaIFvbwZUvC7isW41LKm=s0\" width=\"197\" height=\"275\" \/><\/b><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 14px;\"><strong>vCenter Server v6.7.0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/strong><\/span><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">VMware vCenter Server version 6.7 seems to be the most used product with over 1700 instances spread across the United States, Germany, China, France, Turkey, and Russia.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><b id=\"docs-internal-guid-96ae9304-7fff-0ace-35ab-2f1d393beb2c\"><img decoding=\"async\" style=\"width: 150px; height: 224px;\" src=\"https:\/\/lh5.googleusercontent.com\/LkX-6lqotBiVisQt2WQRn-SQT_IqijVQS16OwXqv8_WLlAp5rPAl8vNYHjO2cGO6GY27s9qXGiMivRDDO0tHTmW03w6xqT1SdZIr-rk__1VorZL-4Hw4f9Iq20xfWAlnLeh-jnka=s0\" \/><\/b><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">1640 instances of port 443 are prone to be exploited by attackers. Port 443 is considered the most vulnerable entry point for an attack that could compromise the host operating system as well.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><b id=\"docs-internal-guid-b5d0e6ff-7fff-3fa6-4486-dce4f6afbb44\"><img decoding=\"async\" style=\"width: 150px; height: 106px;\" src=\"https:\/\/lh3.googleusercontent.com\/jYnYlvXiH7Bo88uUpz8xYiBD46LeSyl4HRf8zAG97eMcOo2349q0_9QhSkCe2_xumjGpqHRWYCzjuqtRtIPWTrNCnUx0zwnvNhCOumumDHI4zwUzuEtlrE1etnKQ2CVVgo9JaCWH=s0\" \/><\/b><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Ports 8443, 9443, 10443, and 9001 could also serve as possible attack vectors for vCenter version 6.7.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><span style=\"font-size: 14px;\"><strong>vCenter Server v7.0.0<\/strong><\/span><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">VMware vCenter Server version 7.0.0 has 146 instances of being in use and is primarily spread across the United States, China, Germany, Iran, and Hongkong.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><b id=\"docs-internal-guid-2e883621-7fff-8017-ea0d-9765f7b5bb0e\"><img decoding=\"async\" style=\"width: 150px; height: 216px;\" src=\"https:\/\/lh3.googleusercontent.com\/dEBX1zWNyMbXBjUv0BjbY8A9PHhT9OIx5LPcGiDlZwPEq0GLlgTooo_U12rAmVB9tJ-nxsFTA_LR_aoTOltpdCbmVCIj0QMqtsVInccKin2w1H6o04UQi_sAFkquO2zXbd2KmCaC=s0\" \/><\/b><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">130 instances of port 443 are prone to be exploited by attackers for v7.0.0.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\">\u00a0<b id=\"docs-internal-guid-d82f2e1a-7fff-28d5-eb24-c4cae89432ef\"><img decoding=\"async\" style=\"width: 150px; height: 104px;\" src=\"https:\/\/lh6.googleusercontent.com\/NgmlutDvtuqkj60NTkpOE4ilxVTHY-jYTvRt34ltm37bFVMCZ28Gj_K1iXgFhpYQyEIgAmL_LN169O4fKvNGvQVLuJpq4yWytz1O2Df1XDgw8km05AKszQsV8I1nBEa0HGSWr7Cx=s0\" \/><\/b><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 14px;\"><strong>vCenter Server v7.0.1<\/strong><\/span><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">VMware vCenter Server version 7.0.1 has 146 instances of being in use and is primarily spread across the United States, China, Germany, Iran, and Hongkong.<\/p>\n<\/li>\n<\/ul>\n<h3 dir=\"ltr\"><b id=\"docs-internal-guid-126e34dd-7fff-9d23-68a5-3da717b31908\"><img decoding=\"async\" style=\"width: 150px; height: 224px;\" src=\"https:\/\/lh6.googleusercontent.com\/0pp-0G3J9QedSK_aDo2dkK6J0UHcsiFi47AJGrA9Cbzd_mrP-mZMv17tl6B06N72HSKxSFZJtLJGEKzNA7ehgqI8eP4nexQMZGuu8k_prIK82BH0X7nk9ogP98-R6V7OlDNFjhuG=s0\" \/><\/b><\/h3>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">167 instances of port 443 are prone to be exploited by attackers for v7.0.1.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\">\u00a0<b id=\"docs-internal-guid-acee47b8-7fff-15f4-ffa2-6c9e0e986f7c\"><img decoding=\"async\" style=\"width: 153px; height: 105px;\" src=\"https:\/\/lh3.googleusercontent.com\/10TRm9NTVJCM1phv4wRQ-7VX8pAYSIFq-zgsfnA0yBXSL9RL2xjjo4CCd5vxs8Fh-jj4pG82OBmToGCktOnDQEycexbyd6qrMKd5o8Jo90YMVe1SEPyqDQcJwpsSI_SfV9QpqI9Z=s0\" \/><\/b><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 14px;\"><strong>vCenter Server v7.0.2<\/strong><\/span><\/p>\n<ul dir=\"ltr\">\n<li>VMware vCenter Server version 7.0.2 has 996 instances of being in use and is primarily spread across the United States, Germany, France, Turkey, and Iran.<\/li>\n<\/ul>\n<p dir=\"ltr\"><b id=\"docs-internal-guid-2f0b27e5-7fff-1a0e-1edc-4abb218b0ad0\"><img decoding=\"async\" style=\"width: 153px; height: 224px;\" src=\"https:\/\/lh6.googleusercontent.com\/aezcfX9rQtdRwL_JZOQd2kHTyKpdv-jJPuhYmjuB6q_1Cvmrz42BHPZ6duTKWahVfX2p1m2VOeJ1enDW4DoG6o39Ax9DAzv0UxnITn2Hqux_j2WJZp8CENWWyY_MnBdijvOlxNVJ=s0\" \/><\/b><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">942 instances of port 443 are prone to be exploited by attackers for v7.0.2.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><b id=\"docs-internal-guid-b703457d-7fff-bbd0-1bf2-50ef2c1d70a7\"><img decoding=\"async\" style=\"width: 150px; height: 100px;\" src=\"https:\/\/lh5.googleusercontent.com\/W259JvYceQ6s1ZnhbwqiqKlIPm76QhDU2Wm_84ACsdap18BY5a3MyED1qkukdm586pqTvpceKu6oJbXK3QH5ZdJItl9fy-FZQNPuvzZzhypDebKvhoOWvNm0obbypolsW3WTEpAt=s0\" \/><\/b><\/p>\n<p dir=\"ltr\"><strong>Here are the plugin details used by scanners:<\/strong><\/p>\n<table style=\"width: 500px;\" border=\"1\" cellspacing=\"1\" cellpadding=\"1\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><strong>Names of Scanners<\/strong><\/td>\n<td style=\"text-align: center;\"><strong>Plugins for CVE-2021-22005<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Nessus<\/td>\n<td>153544, 153545<\/td>\n<\/tr>\n<tr>\n<td>Nexpose<\/td>\n<td>&#8216;vmsa-2021-0020-cve-2021-22005-vcenter&#8217;<\/td>\n<\/tr>\n<tr>\n<td>Qualys<\/td>\n<td>216266, 216265<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Patching this vulnerability should be a top priority for organizations.<\/strong><\/p>\n<p dir=\"ltr\">The inference we can draw from our analysis of CVE-2021-22005 is that it is critical to upgrade to version 7.0 U2c, or 6.7 U3o if it is a virtual appliance.<\/p>\n<p dir=\"ltr\">CISA issued a <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/09\/24\/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active\">warning<\/a> on September 24, 2021, encouraging immediate action towards mitigating the issue as well.<\/p>\n<blockquote>\n<p dir=\"ltr\">We urge administrators to patch this vulnerability first before moving on to the scheduled patches as the imminent threat of a major ransomware attack similar to the <a href=\"https:\/\/cybersecurityworks.com\/blog\/ransomware\/darkside-ransomware-threat-associations-unearthed.html\">DarkSide attack<\/a>, looms menacingly.<\/p>\n<p dir=\"ltr\">\n<\/blockquote>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Worried about cyber attacks? Are you sure there are no gaps in your security?<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>We can help shrink your attack surface. <a href=\"https:\/\/cybersecurityworks.com\/get-quote.php\">Talk to us!<\/a><\/strong><\/p>\n<p dir=\"ltr\">\n","protected":false},"excerpt":{"rendered":"<p>On September 21, 2021, VMware published an advisory warning of nineteen vulnerabilities in their vCenter Server. Of the nineteen vulnerabilities, one CVE stands out as being extremely critical and potential to be exploited by ransomware\u2014CVE-2021-22005.<\/p>\n","protected":false},"author":1,"featured_media":14341,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,123,135],"tags":[454,91,250,218,404,139],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7504"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7504"}],"version-history":[{"count":3,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7504\/revisions"}],"predecessor-version":[{"id":14357,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7504\/revisions\/14357"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/14341"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}