VMware patches Critical vulnerability that exposed thousands of servers online

VMware has patched multiple vulnerabilities, to include one Critical vulnerability (CVE-2021-21972) that has exposed thousands of servers online.

In total, VMware has patched three vulnerabilities in VMware ESXi and vCenter Server products as part of security advisory VMSA-2021-0002 issued on February 23, 2021.

Servers exposed to CVE-2021-21972

One of the VMware patches addressed a vulnerability in the vSphere Client (HTML5), which contains a remote code execution vulnerability CVE-2021-21972 in a vCenter Server plugin.

“A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,” VMware wrote in the advisory.

Of special note, security researchers have already actively scanned and spotted online servers vulnerable to CVE-2021-21972.

According to a tweet sent out Wednesday, Bad Packets detected “mass scanning” targeting VMware vCenter servers:

We've detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).

Query our API for "tags=CVE-2021-21972" for relevant indicators and source IP addresses. #threatintel https://t.co/AcSZ40U5Gp

— Bad Packets (@bad_packets) February 24, 2021

To make matters worse, several researchers have also posted proof-of-concept (PoC) exploit code, which bad actors may have already used in speeding up attacks against internet-exposed VMware systems.

Moreover, the Critical vulnerability CVSS score is rated 9.8 and impacts VMware vCenter Server versions 6.5, 6.7 and 7.0.

OpenSLP CVE-2021-21974

In addition, VMware also patched an ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974).

“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” VMware noted in the advisory.

The vulnerability CVSS score is rated 8.8 and impacts VMware ESXi versions 6.5, 6.7 and 7.0.

vSphere Client SSRF CVE-2021-21973

The third VMware patch fixed an SSRF vulnerability in the vSphere Client (CVE-2021-21973).

“A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure,” VMware added.

The Critical vulnerability CVSS score is rated 5.3 and impacts VMware vCenter Server versions 6.5, 6.7 and 7.0.

Related Articles

• APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations
• CallStranger UPnP vulnerability affects multiple internet-facing products
• Attackers continue to target unpatched Pulse Secure VPN systems
• 450K internet-connected QNAP devices exposed to RCE vulnerabilities