Security researchers have spotted thousands of vulnerable unpatched VMware vCenter servers exposed on the internet. Multiple proof-of-concepts (PoCs) have also been posted online for exploits against a remote code execution (RCE) vulnerability CVE-2021-21985.
VMware released a Critical security update on May 25 to fix two vulnerabilities, one in VMWare vCenter Server that could result in remote code execution (RCE) in the vSphere Client (CVE-2021-21985). According to VMware, the vSphere Client (HTML5) contains an RCE vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
The other patched vulnerability (CVE-2021-21986) is an authentication mechanism issue in vCenter Server plug-ins like Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability.
Researchers from Trustwave used the Shodan tool to find 5,271 instances of VMWare vCenter Server that are directly connected to the Internet.
“We decided to review Shodan for a quick analysis on the number of vCenter Server instances directly connected to the Internet that are vulnerable to these flaws based on their self-reported version,” Trustwave wrote in a blog post.
After analyzing the Shodan data, the security firm noted that over 80% (4,019) of external-facing VMware servers were vulnerable as of the blog posting. Moreover, another 950 are not vulnerable, but are running end of life versions.
Most of the vulnerable systems are running VMware vCenter Server versions 6.7.0, 6.5.0 and 7.0.x.
RCE Exploit Proof-of-Concept
Finally, Trustwave provided links to multiple proofs-of-concept (PoCs) for exploiting the RCE vulnerability CVE-2021-21985 in the wild:
- https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/
- http://noahblog.360.cn/vcenter-cve-2021-2021-21985
- https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985
- https://github.com/alt3kx/CVE-2021-21985_PoC