The current, multi-layer setup big organizations run on is a challenge to manage and we both know that (it’s an understatement). And when a vulnerability like CVE-2021-21972 pops up, it reveals how messy the process of patching and mitigation can be.
However, the only way is through! And because discovering and reporting vulnerabilities is what we help you accomplish, we often go in-depth into vulns like these so you don’t have to make an extra effort.
So let’s unpack this particular CVE, starting with a quick timeline.
On February 23, 2021, VMWare released a patch (VMSA-2021-0002) for CVE-2021-21972. In their security advisory, they also mention another vulnerability found in the VMWare ESXi hypervisor.
- Unauthorized file upload leading to remote code execution (RCE) (CVE-2021- 21972)
- An unauthorized server-side request forgery (SSRF) vulnerability (CVE-2021-21973).
Let’s add a little context.
What is VMware vSphere?
VMware vSphere is VMware’s virtualization platform, which transforms data centers into aggregated computing infrastructures that include CPU, storage, and networking resources. vSphere manages these infrastructures as a unified operating environment and provides you with the tools to manage the data centers that participate in that environment.
The two core components of vSphere are ESXi and vCenter Server:
- ESXi is the virtualization platform where you create and run virtual machines and virtual appliances
- vCenter Server is the service through which you manage multiple hosts connected in a network and pool host resources.
How the VMware vCenter RCE vuln works
The vSphere Client (HTML5) was affected by a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 could exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server.
This vuln tracked as CVE-2021-21972 affects:
- VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n)
- VMware Cloud Foundation (4.x before 4.2 and 3.x before 126.96.36.199).
Because of the large number of companies that run VMWare vCenter on their networks, Positive Technologies initially planned to keep technical details and proof-of-concept about this critical bug private until system administrators had enough time to apply the patch.
However, a Chinese researcher and other infosec analysts posted a proof-of-concept code, effectively pressuring companies impacted by this vuln to apply the patch. What’s more, they started a mass scan for vulnerable vCenter systems left connected online while attackers hurried to compromise the systems.
How CVE-2021-21972 exposes your system to remote exploitation
The vRealize Operations vCenter Plugin is the root cause of this vulnerability. An attacker can exploit the vulnerable system remotely by uploading a crafted file. That’s why it’s so critical for companies to apply the available patches ASAP.
But before we dive deeper into the patching details, we must gain a strong understanding of CVE-2021-21972.
Details and analysis of the vulnerability
The vuln is present in the vSphere Client because no authentication is required for the /ui/vropspluginui/rest/services/* endpoint.
Within the above endpoint, the vulnerable function is uploadOvaFile and the URL /ui/vropspluginui/rest/services/uploadova permits the upload of a malicious jsp shell, which allows an unauthenticated attacker to gain remote code execution.
The handler of the uploadOva function lets you upload an arbitrary file to an arbitrary location on the vCenter server.
For Windows systems, the adversary can upload a crafted .jsp shell file in order to gain administrative privileges on the server.
For Linux systems, the malicious actor can generate and upload the SSH public key to the authorized_keys file on the server. As a consequence, they can connect via SSH on the vulnerable server.
Vulnerable Windows system
Source: Positive Technologies
Vulnerable Linux system
Source: Positive Technologies
If successfully exploited, this vulnerability allows an unauthenticated attacker to get a “VIP ticket” to the Remote Code Execution airplane with destination vCenter in the context of vsphere-ui user.
At the time of writing, we found 6851 potential vulnerable targets registered through Shodan.
You can try to search and find potential targets for educational purposes yourself, starting from this basic Shodan query: http.title: “ID_VC_Welcome”.
Opportunistic mass scanning activity detected from hosts in 🇦🇱 🇧🇷 🇨🇦 🇨🇳 🇩🇪 🇭🇰 🇮🇳 🇮🇩 🇯🇵 🇳🇱 🇷🇺 🇸🇬 🇰🇷 🇨🇭 🇦🇪 🇬🇧 🇺🇸 🇻🇳 targeting VMware vCenter servers vulnerable to remote code execution (CVE-2021-21972). #threatintel https://t.co/kOfqzW2Rmi
— Bad Packets (@bad_packets) February 26, 2021
Depending on your OS and context, there are various levels of fallout that result from an attacker exploiting this CVE:
- If the threat actor can successfully exploit this vulnerability, they can gain remote code execution in the underlying operating system of the vCenter Server.
- For Windows hosts, the attacker could upload a malicious .jsp file and gain SYSTEM privileges on the server.
- For Linux servers, the attacker needs to generate and upload a SSH public key to the authorized_keys file present on the .ssh directory and connect via SSH to the vulnerable server.
- Any malicious hacker who can reach port 443 on the vulnerable vCenter server can completely harvest data information and compromise the device and any Virtual Machine it contains.
No matter which scenario is more likely to happen in your case, the consequences are… not great.
How to detect CVE-2021-21972 when your endpoint protection doesn’t
If your endpoint security solution can’t detect this critical flaw, here’s a simpler way to do it. Review the vCenter logs and look for access to the /ui/vropspluginui/rest/services/uploadova endpoint.
How to detect CVE-2021-21972 with Pentest-Tools.com
Removing friction in your workflow is our specialty, so here’s how to get this job done without extra tools.
Log into your Pentest-Tools.com account.
Under Tools, check out the Web Application Testing menu and select Network Vulnerability Scan with OpenVAS.
In the scanner’s configuration, set your target URL and select the “Full Scan” option.
Do not add any authentication method because your goal is to find resources you can access without being authorized. If you want to use your time effectively, choose to get an email notification when the scan is finished.
Once the scanner wraps up, you can go through the results to see if you are vulnerable to CVE-2021-21972.
You can also export a quick report with this specific issue if you need to pass it on, either in PDF, HTML, or a customizable DOCX.
How to mitigate CVE-2021-21972
We recommend starting to apply the available patches in your environment, as VMWare has already released the patch for CVE-2021-21972.
|Product Version>||Fixed Version||Month addressed|
|vCenter Server 7.0||7.0 U1c||December 2020|
|vCenter Server 6.7||6.7 U3l||November 2020|
|vCenter Server 6.5||6.5 U3n||February 2021|
|Cloud Foundation 3.x||188.8.131.52||February 2021|
|Cloud Foundation 4.x||4.2||February 2021|
If you can’t do it immediately, VMWare provides workaround solutions for CVE-2021-21972 and CVE-2021-21973. System administrators need to change the compatibility matrix file and set the vRealize Operations vCenter Plugin to incompatible.
VMs are great – if you constantly keep an eye on them
Global businesses are running VMware technology to manage their IT infrastructure more easily and automate workloads. While this cloud solution helps organizations increase IT efficiency, unpatched vCenter servers can open them up to a range of security issues.
Regular monitoring is a must-have to ensure business continuity and scheduled scans (which you can also get on Pentest-Tools.com) are a low-effort way to surface potential problems before they escalate.
Our team keeps working to add new features and improve the tools (now at 25+) on Pentest-Tools.com so you can detect vulnerabilities fast.
If you want to get more demos and exploitation guides like this one in your inbox (and nothing else!), drop your email below.