Overview of VMware vCenter Server Flaw

On September 21, 2021, VMware released a statement detailing how Internet-exposed vCenter servers are actively being targeted by attackers. The attackers are exploiting a ransomware-friendly security flaw, CVE-2021-22005, by performing mass scans for unpatched vCenter appliances. Initially reported by SolidLab LLC, the flaw is a file upload vulnerability that can be exploited by anyone who can reach a vCenter server and execute remote code, granting the attacker access regardless of configuration settings.


As of now, scanning activity has been seen coming from this IP address 116[.]48.233.234. It has been reported that the scans use workaround information provided by VMware for the customers who didn’t immediately patch their appliances when several vulnerabilities were discovered throughout the winter and summer of 2021. The vulnerabilities include a flaw (CVE-2021-21972) affecting all default vCenter installs, as well as an RCE exploit (CVE-2021-21985). There are also 17 other VMware vulnerabilities that need attention, however; VMware stated those vulnerabilities are not nearly as critical as CVE-2021-22005.


Leaving vCenter servers unpatched is not recommended. If servers are left unpatched, attackers could gain control over desktop and user accounts, stealing confidential data and intellectual property. The data they steal could be used as they patiently and quietly wait to break into other systems over long periods of time – making it their mission to install ransomware and extort payment.

CVE-2021-22005 impacts the following vCenter Servers: 6.5, 6.7, and 7.0.

 

Total CVEs

CVE-2021-21991    CVE-2021-22005
CVE-2021-21992    CVE-2021-22006
CVE-2021-21993    CVE-2021-22007
CVE-2021-22017    CVE-2021-22018
CVE-2021-22014    CVE-2021-22015
CVE-2021-22008    CVE-2021-22011
CVE-2021-22009    CVE-2021-22012
CVE-2021-22010    CVE-2021-22013
CVE-2021-22019    CVE-2021-22020


How Avertium is Protecting Our Clients

  • It’s important not to expose your VCenter server to the internet. As an alternative, you can put the server behind a VPN so you can still access it remotely while making sure it is not exposed to the internet.

  • Avertium has an Architecture & Integrations team who can help set up a VPN if you don’t have one already for your VMware systems.

  • Avertium’s Vulnerability Management as a Service (VMaaS) can help identify critical vulnerabilities such as these for patching.

Recommendations for CVE-2021-22005

  • Patch. The best thing you can do right now is to make sure you patch your server using VMware’s latest security update.

  • If unable to patch right away, VMware suggests editing a text file on the VCSA and restarting services and is documented as part of the VMSA link above.

  • If unable to patch right away, VMware recommends using network perimeter access controls or the vCenter Server Appliance firewall to curtail access to the vCenter Server management interfaces. 

  • VMware strongly suggests limiting access to vCenter Server, ESXi, and vSphere management interfaces to only vSphere Admins. Drive all other workload management activity through the VM network connections. This simplifies access control and makes the RDP or ssh management traffic subject to other security controls, such as IDS/IPS and monitoring.

Additional IPs Scanning for CVE-2021-22005

  • 37[.]187.96.183
  • 185[.]31.175.247
  • 178[.]17.170.13
  • 209[.]141.45.189

References

Hackers are scanning for VMware CVE-2021-22005 targets, patch now! (bleepingcomputer.com)

VMSA-2021-0020: What You Need to Know - VMware vSphere Blog

VMSA-2021-0020 (vmware.com) 

GreyNoise

 

Check out our last flash notice covering the Microsoft Azure OMIGOD Vulnerability