Threat Flash Alert: VMware vCenter Server File Upload Vulnerability
21 September, 2021
VMware has issued a warning regarding a critical arbitrary file upload vulnerability that exists in the VMware Analytics service, impacting all appliances running the default vCenter server configuration.
This vulnerability can be exploited by individuals or threat actors already inside the network who are able to reach the vCenter server. They are able to gain access to the vulnerable server regardless of the vCenter configuration. A patch has been provided by VMware and they strongly urge an emergency deployment on all vulnerable systems.
CVE-2021-22005 – vCenter Server File Upload Vulnerability
The file upload vulnerability exists in the VMware Analytics Service on vCenter servers. A threat actor with network access to port 443 (HTTPS) on vCenter servers would be able to exploit this vulnerability and execute code on the server by uploading a specially crafted file allowing for software installation and command execution. This can be exploited by remote unauthenticated users using low complexity attacks and does not require user interaction.
Affected versions: vCenter Server 6.7 & 7.0
Multiple vulnerabilities have been reported regarding vCenter servers. A complete list and response matrix can be found here.
VMware suggests declaring an emergency fix and patching any version on the list they have provided. A list of patches and vulnerable services can be found in the sources below.
VMware has also provided a workaround for organizations that cannot patch immediately, which can be found here. The workaround requires editing a text file on the virtual appliance and restarting services manually, or utilizing a VMware-provided script to remove the possibility of exploitation.
Security On-Demand highly recommends implementing the updates provided by VMware to any vulnerable vCenter server.
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. SOD is not affected by this vulnerability.
At this time, no exploitations have been observed but it is only a matter of time until threat groups take advantage of any unpatched appliances.
Bleeping Computer Security news – VMware critical bug
For questions, please reach out to our Sales team here.