LackyVis - stock.adobe.com
Threat actors target VMware vCenter Server users
Users of VMware vCenter Server are advised to patch a series of vulnerabilities post haste
VMware has released a series of patches addressing various vulnerabilities in its vCenter Server products (versions 6.5, 6.7 and 7.0) which should be applied immediately, as the ramifications for users are serious, and malicious actors are already known to be sniffing around.
The patches address a total of 19 vulnerabilities, listed here for convenience, of which the most serious appears to be CVE-2021-22005, a file upload vulnerability that has been assigned a critical CVSSv3 base score of 9.8.
A threat actor with network access to port 443 on vCenter Server would be able to exploit this vulnerability to run code on vCenter Server by uploading a specially crafted file. Note this vulnerability is not present in version 6.5.
Other vulnerabilities with CVSSv3 scores of 8 and above include CVE-2021-21991, a local privilege escalation vulnerability; CVE-2021-22006, a reverse proxy bypass vulnerability; and CVE-2021-22011, an unauthenticated API endpoint vulnerability. These vulnerabilities were discovered and disclosed to VMware by SolidLab’s George Noseevich and Sergey Gerasimov, and Hynek Petrak of Schneider Electric.
“These updates fix a critical security vulnerability, and your response needs to be considered at once,” VMware’s Bob Plankers said in a blog post.
“Organisations that practise change management using the ITIL definitions of change types would consider this an ‘emergency change’. All environments are different, have different tolerance for risk, and have different security controls and defence-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act.”
Some of the other vulnerabilities with lower scores could still be useful to an attacker who has already obtained access to an organisation’s network and should not be discounted.
VMware has made available a central hub resource for those affected by the vCenter Server vulnerabilities, which can be accessed here.
ESET’s Jake Moore commented: “As threat actors improve on their speed in reacting to real-world vulnerabilities, it is strongly advised to act quickly in updating with the antidote to these flaws before it’s too late.
“Although there are no current reports on any exploitation, this can change without a moment’s notice in times of very sophisticated adversaries looking to take advantage of unpatched weaknesses. Furthermore and for extra protection, any network access to critical infrastructure should ideally only be carried out via a VPN.”
Chris Sedgewick, director of security operations at Talion, added: “Due to its global prevalence, VMWare is a lucrative platform for attackers to target, and recently VMWare exploits have been extremely popular, with sophisticated state-backed groups and intelligence services utilising them to assist in the successful execution of their campaigns.
“Back in May, a similar exploit in vCenter was disclosed after Russian threat groups were exploiting it. Therefore, it is especially important for users to take swift action by quickly follow the recommended actions and implement the security updates for VMWare.”
Read more about VMware
- The chief data officer of VMware details her views on the increasing challenges of dealing with growing volumes of data and the critical importance of data governance.
- VMware home labs require hardware and software, which can get complex. These three FAQs can guide you toward an efficient and cost-effective home lab that can run ESXi or NSX.
- Hot and cold migrations move VMs differently throughout VMware infrastructure. A hot migration doesn't require downtime, while a cold migration moves powered-off VMs.