Magnifying glass over VMware website showing security bug affecting VMware servers

Over 6,700 VMware Servers With Remote Code Execution Security Bug Exposed to the Internet

About 6,700 VMware vCenter servers vulnerable to remote code execution security bug and server-side request forgery (SSRF) are exposed to the Internet, according to Bad Packets.

The threat intelligence firm said it discovered a mass scanning activity targeting vulnerable VMware servers after a Chinese cybersecurity researcher published proof of concept (POC) code for the VMware vSphere Client security bug, CVE-2021-21972.

Meanwhile, VMware released patches for the two remote code execution faults, CVE-2021-21972, CVE-2021-21974, and Server-Side Request Forgery (SSRF), CVE-2021-21973 vulnerability on Feb 3.

Shodan discovers thousands of vulnerable VMware servers exposed to the internet

Shodan queries revealed that more than 6,700 vCenter servers are connected to the Internet and could be exploited to breach network perimeters. This figure is on the lower end as BinaryEdge reports that about 14,000 VMware servers are accessible on the Internet.

These installations could be exploited for remote code execution unless patched immediately. However, experience shows that many users continue running vulnerable systems long after security fixes for known vulnerabilities became available.

Vulnerable VMware servers allow attackers to execute arbitrary commands

Positive Technologies security researcher Mikhail Klyuchnikov discovered the three vulnerabilities affecting VMware ESXi, VMware vCenter Server (vCenter Server), and VMware Cloud Foundation (Cloud Foundation).

The most critical security bug, CVE-2021-21972, affects the vCenter Server and has a CVSS v3 score of 9.8. VMware said the vulnerability exists in the vCenter Server plugin for vRealize Operations (vROPs) in the vSphere Client functionality.

The plugins install by default and do not require vROPs to be present. VMware says that an attacker with network access to port 443 may exploit this issue and execute privileged commands on the host operating system.

Positive Technologies said threat actors who penetrated the corporate network perimeter posed the most serious threat.

A persistent threat actor could have breached the internal network using other techniques such as social engineering or backdoors. Klyuchnikov also noted that the vulnerability could be exploited by any unauthorized user.

The security bug enables an attacker to send a specially crafted request, allowing them to execute arbitrary commands. The threat actor can then propagate through the network, access data about virtual machines and system users, according to Klyuchnikov.

The security vulnerability could be exploited through any vulnerable software accessible from the Internet. Positive Technologies breached network perimeters of 93% of organizations tested and accessed local resources during pentests, the company says.

Klyuchnikov discovered another remote code execution vulnerability CVE-2021-21974 residing in the VMware ESXi and with a CVSS v3 base score of 8.9.

Successful exploitation of the security bug leads to a heap overflow in the OpenSLP component in an ESXi host. To trigger this vulnerability for remote code execution, an attacker must reside in the same network segment and have access to port 427.

SSRF security bug allows hackers to scan for vulnerable VMware servers

The Positive Technologies researcher also discovered the Server Side Request Forgery (SSRF) security bug CVE-2021-21973 with a CVSS score of 5.3.

The vulnerability stems from improper validation of URLs in a vCenter Server plugin. An attacker with access to port 443 could trigger the vulnerability leading to information disclosure by initiating a POST request to the vCenter Server plugin.

This vulnerability allows attackers to craft attacks to exploit other vulnerabilities. An attacker scans for vulnerable VMware servers to obtain open ports before exploiting the remote code execution vulnerabilities.

The vulnerability could also be an excellent candidate for denial of service (DDoS) attacks. VMware advised organizations to install the newly-released patches or implement the workarounds provided in its bug report. Removing VMware server interfaces from network perimeters would prevent attackers from breaching corporate networks, according to Positive Technologies.

Positive Technologies notified VMware of the vulnerabilities on October 2, 2020, but released its findings on February 24, 2021, after the proof of concept code was released.

“Assuming VMWare was informed about the RCE flaw in October last year, it’s incomprehensible why the patch has only been released after the vulnerability details were made public,” says Ilia Kolochenko, CEO at ImmuniWeb. “Exploitation simplicity and the impact of the vulnerability are both highly critical, permitting even unskilled attackers to take control over entire corporate networks within minutes.”

However, Kolochenko believes that the exposed organizations shared responsibility for failing to implement proper security configurations.

“It is, however, fair to say that normally vSphere Client web interface should not be accessible from the Internet or at least should have strict IP filtering rules. Therefore, compromised organizations undoubtedly share responsibility for being breached via this vulnerability.”

About 6,700 VMware servers affected by the remote code execution #security bug and are exposed to the Internet according to Bad Packets. #respectdata Click to Tweet

The failure to disclose the security bugs or release patches puts companies at risk of possible legal and regulatory actions.

“From a legal viewpoint, it’s highly likely that hacked organizations will see little mercy from the regulators or victims whose sensitive data will be stolen,” Kolochenko says. “Sanctions may vary from civil enforcement actions by FTC in the US up to possible criminal prosecution of companies and their executives working in regulated industries in some jurisdictions. On top of this, victims will likely file individual and class actions seeking damages.”