Last Tuesday, Feb. 23, 2021, VMWare disclosed two vulnerabilities affecting vCenter Server and Cloud Foundation. Before the publication of the vulnerabilities, the company published a workaround to protect the servers that are meant to be a temporary solution until updates with the security patch can be deployed. This was a surprisingly fast reaction from the company, though as they were working to quickly fix the issue so too were attackers racing to find new ways to profit from the vulnerabilities. These newly found vulnerabilities, known as CVE-2021-21972 and CVE-2021-21973, can be used by an attacker to disclose information and execute code through a vCenter Server plugin. The Blueliv Labs Team is actively investigating these vulnerabilities and finding new developments in the wild that we are sharing in this blog. More findings would come, we will update this blog accordingly to share relevant and fresh intelligence.
In the first case, the less critical vulnerability CVE-2021-21973 is a Server-Side Request Forgery that can lead to information disclosure due to improper validation of URLs in a plugin. Some actors can take advantage of this if they have network access to port 443 by a POST request. This kind of vulnerability also known as SSRF (Server-Side Request Forgery) is a web security vulnerability that allows inducing the server-side application (in this case vSphere Client) to make HTTP requests to an arbitrary domain of the attacker’s choice. With a successful execution, an attacker can either have access to information inside the vulnerable application or on other back-end systems where the application has access. Depending on the victim’s permissions, it might allow the attacker to perform arbitrary code execution.
The second vulnerability CVE-2021-21972 is a critical vulnerability, where an attacker with network access to port 443 can execute commands in the system that hosts the vCenter Server with unrestricted privileges. This is a dangerous vulnerability that can affect the entire system and put at risk the network of where vCenter is hosted, and the company itself.
As we mentioned before, at the same time that the CVEs were published there were plenty of analysts (both well and ill-intentioned) working on PoC and publishing them in Github. The attackers’ fast reaction and analysts publication has brought to attention the diffusion of tools and scripts that potentially allow anyone to exploit the vulnerabilities, regardless of their technical expertise. Furthermore, and in a similar way to how cyber threat analysts collaborate during investigations, Blueliv has found, a few hours after the publication of the vulnerabilities, that threat actors created topics in some well known underground forums in order to share tools, PoCs, and other information regarding the exploitation of the aforementioned vulnerabilities.
In the following screenshot, you can see how the user named ‘Still’ created a post sharing two links to proof of concepts meant to exploit the vulnerability CVE-2021-21972:
The second GitHub repository attempts to exploit the vulnerability in order to upload a shell in JSP, granting execution on the remote server. If the vSphere is hosted on a server with a Unix distribution vulnerable to the Sudo vulnerability (CVE-2021-3156) that surfaced lately, an attacker could end up leveraging both to obtain administrative privileges on the affected machine.
The same link shared in the previous image has appeared in a different forum, shared by a different user:
To exploit the vulnerability, you also need valid targets. Some users have taken to share Shodan Dorks to facilitate the task of finding vulnerable targets ( See the screenshot above):
With more than six thousand public-facing servers, some of them are bound to fall. Notice also how Shodan detects services running even in non-standard ports, reinforcing the idea that security through obscurity is not a good solution.
It is not only through forums and other underground channels a willing attacker can find scripts or tools related to these CVEs – with a simple Google search you can find a lot of published PoC of the CVE-2021-21972:
Blueliv has detected several repositories related to this CVE thanks to the Blueliv CVE capability within Threat Context:
Blueliv recommends updating the vulnerable services and using the published workaround to protect your servers in the meantime. It is highly recommended to review the servers’ logs and systems’ accesses to find possible attacks. For example, some of these PoC’s can be used to upload the attacker’s SSH keys or create a user with persistent access to the operating system in vulnerable servers to later use it to their own benefit.