Overview of VMware vCenter Server Flaw
On September 21, 2021, VMware released a statement detailing how Internet-exposed vCenter servers are actively being targeted by attackers. The attackers are exploiting a ransomware-friendly security flaw, CVE-2021-22005, by performing mass scans for unpatched vCenter appliances. Initially reported by SolidLab LLC, the flaw is a file upload vulnerability that can be exploited by anyone who can reach a vCenter server and execute remote code, granting the attacker access regardless of configuration settings.
As of now, scanning activity has been seen coming from this IP address 116[.]48.233.234. It has been reported that the scans use workaround information provided by VMware for the customers who didn’t immediately patch their appliances when several vulnerabilities were discovered throughout the winter and summer of 2021. The vulnerabilities include a flaw (CVE-2021-21972) affecting all default vCenter installs, as well as an RCE exploit (CVE-2021-21985). There are also 17 other VMware vulnerabilities that need attention, however; VMware stated those vulnerabilities are not nearly as critical as CVE-2021-22005.
Leaving vCenter servers unpatched is not recommended. If servers are left unpatched, attackers could gain control over desktop and user accounts, stealing confidential data and intellectual property. The data they steal could be used as they patiently and quietly wait to break into other systems over long periods of time – making it their mission to install ransomware and extort payment.
CVE-2021-22005 impacts the following vCenter Servers: 6.5, 6.7, and 7.0.
Total CVEs
CVE-2021-21991 CVE-2021-22005
CVE-2021-21992 CVE-2021-22006
CVE-2021-21993 CVE-2021-22007
CVE-2021-22017 CVE-2021-22018
CVE-2021-22014 CVE-2021-22015
CVE-2021-22008 CVE-2021-22011
CVE-2021-22009 CVE-2021-22012
CVE-2021-22010 CVE-2021-22013
CVE-2021-22019 CVE-2021-22020
How Avertium is Protecting Our Clients
- It’s important not to expose your VCenter server to the internet. As an alternative, you can put the server behind a VPN so you can still access it remotely while making sure it is not exposed to the internet.
- Avertium has an Architecture & Integrations team who can help set up a VPN if you don’t have one already for your VMware systems.
- Avertium’s Vulnerability Management can help identify critical vulnerabilities such as these for patching.
Recommendations for CVE-2021-22005
- Patch. The best thing you can do right now is to make sure you patch your server using VMware’s latest security update.
- If unable to patch right away, VMware suggests editing a text file on the VCSA and restarting services and is documented as part of the VMSA link above.
- If unable to patch right away, VMware recommends using network perimeter access controls or the vCenter Server Appliance firewall to curtail access to the vCenter Server management interfaces.
- VMware strongly suggests limiting access to vCenter Server, ESXi, and vSphere management interfaces to only vSphere Admins. Drive all other workload management activity through the VM network connections. This simplifies access control and makes the RDP or ssh management traffic subject to other security controls, such as IDS/IPS and monitoring.
Additional IPs Scanning for CVE-2021-22005
- 37[.]187.96.183
- 185[.]31.175.247
- 178[.]17.170.13
- 209[.]141.45.189
References
Hackers are scanning for VMware CVE-2021-22005 targets, patch now! (bleepingcomputer.com)
VMSA-2021-0020: What You Need to Know - VMware vSphere Blog
VMSA-2021-0020 (vmware.com)
GreyNoise