VMware addressed a critical arbitrary file upload vulnerability, tracked as CVE-2021-22005, that impacts appliances running default vCenter Server 6.7 and 7.0 deployments.
vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.
The vulnerability is due to the way it handles session tokens.
“VMware has released patches that address a new critical security advisory, VMSA-2021-0020. This needs your immediate attention if you are using vCenter Server.” reads the advisory published by the virtualization giant. “The VMSA outlines a number of issues that are resolved in this patch release. The most urgent addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”
The company urges its customers to immediately apply the security patch to fix the vulnerability. Threat actors could exploit it to carry out multiple malicious activities, such as deploying ransomware in the target network.
“In this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.” continues the advisory.
“Immediately, the ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available”
The bad news is that cyber security experts from threat intelligence firm Bad Packets have already observed scanning activity for this vulnerability.
VMware also provided a workaround in case the customers are not able to immediately patch their installs.
The FAQ published by the company is available here.
In February, VMware addressed a critical remote code execution (RCE) vulnerability in the vCenter Server virtual infrastructure management platform, tracked as CVE-2021-21972, that could be exploited by attackers to potentially take control of affected systems.
In May, the company fixed another flaw, tracked as CVE-2021-21985, which is caused by the lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which is enabled by default in the vCenter Server. The vulnerability has received a CVSS score of 9.8 and impacts vCenter Server 6.5, 6.7, and 7.0.
In May, VMware issued a similar warning regarding a critical remote code execution (RCE) flaw in the Virtual SAN Health Check plug-in impacting all vCenter Server deployments.
Flaws in VMware vCenter Server could be very dangerous for organizations, exploits for such kind of bugs are dangerous weapons in the arsenal of threat actors.
In July, zero-day exploit broker Zerodium announced it is looking for zero-day exploits for VMware vCenter Server, the company offered up to $100,000 for zero-days in this product.
(SecurityAffairs – hacking, VMware vCenter Server)