Security Week 23: Exploiting a Vulnerability in VMware vCenter

A vulnerability in VMware vCenter Server - cloud infrastructure control software - risks becoming a problem comparable in severity to the previously discovered zero-day in Microsoft Exchange. Although the number of vCenter Server installations available from the network is much smaller (thousands versus tens of thousands of mail servers), each of them can manage a huge fleet of virtual systems. Vulnerability CVE-2021-21985 was patched at the end of May, and the news of this week is the appearance of a working Proof of Concept in the public domain and the beginning of the active exploitation phase.





Another similarity to the March problems in Microsoft Exchange is the danger of the vulnerability itself. On the CVSSv3 scale, it received 9.8 points out of 10 and provides an attacker with full access to the operating system on which vCenter is running. Specifically, the vulnerability was found in the Virtual SAN Health Check plugin, which is enabled by default. For administrators of infrastructure based on VMware solutions, this is a reason to immediately update to the latest version, or at least block the problematic code from working.

Sources of

• Security Advisory dated May 25.
• An article in the Knowledge Base describing how to block a plugin (direct disabling of a plugin does not close the vulnerability).
• Public Proof of Concept.
• Release Notes for vCenter Server 6.7 Update 3n. Also a patch has been released for versions 7.0 and 6.5 .
• Fasting in VMware and blog FAQ FAQ .
• An article in the ArsTechnica edition.
• News on Habré.

Last week, not only proofs of PoC functionality appeared on the network, but also testimonies from honeypot maintainers about mass port scanning in search of vulnerable installations. A search in the specialized search engine Shodan returns 5,500 available ports from the vCenter network of servers, most of them in the United States. June 4th official warningwas released by the US Cybersecurity Agency. ArsTechnica reminds that this year many vulnerabilities of the class "it may be too late to patch" were discovered: this is the mentioned problem in Exchange Server, and vulnerabilities in VPN Pulse Secure and Fortinet, and holes in the BIG-IP server software of F5 Networks. In the case of VMware, administrators had only a few days to resolve the problem. In the case of Exchange, it was necessary to react immediately: exploitation began before the patch was released.

What else happened

The "cyber incident" (most likely a ransomware attack) occurred at a large meat supplier, JBS Foods.



Sophos is investigating malware that exploits the March vulnerabilities in Exchange Server and encrypts data.



Recent research by Kaspersky Lab: reports on the evolution of threats for the first quarter of 2021 ( overview article, statistics on PCs and mobile devices); an overview of the Gootkit Trojan and a guide to e-mail spoofing.



This week Amazon will enable the Amazon Sidewalk feature that connects company devices (such as a doorbell with an Amazon Ring camera and other home security tools) into a mesh network. Sidewalk has a dubious privacy feature: for "greater efficiency" other people's devices can use your channel to connect to the server to access the Internet.