AttackerKBAKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7BVMware vSphere Client Unauth Remote Code Execution Vulnerability — CVE-2021-21972
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
Recent assessments:
ccondon-r7 at February 24, 2021 11:19pm UTC reported:
Update March 3: Exploitation in the wild was confirmed over the weekend. See the Rapid7 analysis for more updates.
There are reports of opportunistic scanning for vulnerable vCenter Server endpoints and a bunch of PoC that’s made its way to GitHub over the past twelve hours or so. There hasn’t been confirmation of in-the-wild exploitation yet, but it’s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As @wvu-r7 points out in the Rapid7 analysis, the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I’d be a little surprised if we didn’t see a follow-on CVE at some point for an authentication bypass.
wvu-r7 at February 24, 2021 10:11pm UTC reported:
Update March 3: Exploitation in the wild was confirmed over the weekend. See the Rapid7 analysis for more updates.
There are reports of opportunistic scanning for vulnerable vCenter Server endpoints and a bunch of PoC that’s made its way to GitHub over the past twelve hours or so. There hasn’t been confirmation of in-the-wild exploitation yet, but it’s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As @wvu-r7 points out in the Rapid7 analysis, the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I’d be a little surprised if we didn’t see a follow-on CVE at some point for an authentication bypass.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
References
packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html
packetstormsecurity.com/files/161695/VMware-vCenter-Server-File-Upload-Remote-Code-Execution.html
packetstormsecurity.com/files/163268/VMware-vCenter-6.5-6.7-7.0-Remote-Code-Execution.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972
www.vmware.com/security/advisories/VMSA-2021-0002.html
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%