ANNOUNCEMENT: Security On-Demand Announces ThreatWatch Response and Remediation Service | SEE RELEASE
vmware vulnerability

Threat Flash Alert: VMware vCenter Server File Upload Vulnerability

21 September, 2021

Vulnerability Summary

VMware has issued a warning regarding a critical arbitrary file upload vulnerability that exists in the VMware Analytics service, impacting all appliances running the default vCenter server configuration.

This vulnerability can be exploited by individuals or threat actors already inside the network who are able to reach the vCenter server.  They are able to gain access to the vulnerable server regardless of the vCenter configuration.  A patch has been provided by VMware and they strongly urge an emergency deployment on all vulnerable systems.

Details

CVE-2021-22005 – vCenter Server File Upload Vulnerability

The file upload vulnerability exists in the VMware Analytics Service on vCenter servers.  A threat actor with network access to port 443 (HTTPS) on vCenter servers would be able to exploit this vulnerability and execute code on the server by uploading a specially crafted file allowing for software installation and command execution. This can be exploited by remote unauthenticated users using low complexity attacks and does not require user interaction.

Affected versions: vCenter Server 6.7 & 7.0

Multiple vulnerabilities have been reported regarding vCenter servers. A complete list and response matrix can be found here.

Recommendations

VMware suggests declaring an emergency fix and patching any version on the list they have provided.  A list of patches and vulnerable services can be found in the sources below.

VMware has also provided a workaround for organizations that cannot patch immediately, which can be found here.  The workaround requires editing a text file on the virtual appliance and restarting services manually, or utilizing a VMware-provided script to remove the possibility of exploitation.

SOD Actions

Security On-Demand highly recommends implementing the updates provided by VMware to any vulnerable vCenter server.

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates.  SOD is not affected by this vulnerability.

At this time, no exploitations have been observed but it is only a matter of time until threat groups take advantage of any unpatched appliances.

Sources

VMware Security release and Response Matrix

Workaround Instructions for CVE-2021-22005

VMware – VMSA-2021-0020 Q&A

Bleeping Computer Security news – VMware critical bug

 

For questions, please reach out to our Sales team here.