Critical RCE and SLP Protocol Vulnerabilities in VMWare

On 23 February 2021, VMWare announced it patched multiple vulnerabilities in its VMWare vCenter and ESXi products. The vulnerabilities consisted of a critical unauthenticated remote code execution (RCE), server-side forgery request (SSRF), and a heap overflow vulnerability in OpenSLP protocol. VMWare released the 23 February advisory with patch updates as well as workarounds. Additionally, as of the evening of 24 February, multiple exploit proofs of concept (POCs) for one or more of the vulnerabilities were publicly released. TRT Intel strongly advises to ensure the updates or workaround are implemented, due to the potential impact and fallout of the successful compromise. TRT Intel is also aware of ransomware and possible state-sponsored activity that have leveraged vulnerabilities in VMWare products in previous campaigns.

Threat and Technical Data

On 23 February 2021, VMWare announced it patched multiple vulnerabilities in its VMWare vCenter and ESXi products. The vulnerabilities consisted of a critical unauthenticated remote code execution (RCE) (CVE-2021-21972), server-side forgery request (SSRF) (CVE-2021-21973), and a heap overflow vulnerability in OpenSLP protocol as used by ESXi (CVE-2021-21974).  The summary of each of the vulnerabilities are as follows:

CVE-2021-21972 – an unauthenticated RCE in vCenter Server (Critical)

CVE-2021-21973 – a SSRF vulnerability in vSphere Client plugin for vCenter, resulting in information disclosure; requires network access to Port 443 (Moderate)

CVE-2021-21974 – Heap overflow in ESXi Service Location Protocol (SLP) over port 427, which may result in RCE (Critical)

The vulnerabilities were initially discovered, and reported to VMWare, in October 2020.  VMWare acknowledged and began working to remedy the issue which was completed in February 2021. Official technical details of any proofs of concept (POCs) were withheld from the public until 24 February when two POCs were dropped onto GitHub, after which a technical paper by researchers at security firm PTSwarm was also released.

Conclusion & Assessment

Fidelis TRT Intel has previously identified vulnerabilities in VMWare products, including CVE-2020-4006, as priority vulnerabilities which may pose a high-risk to organizations running unpatched or insecure installations.  This and other vulnerabilities in various VMWare including ESXi (over SLP), vIDM, and vAccess have been known to be leveraged by state-sponsored/employed groups as well as by ransomware affiliated campaigns.  In addition to segregating and/or securing management consoles from VM instances and disabling unused ports and protocols where possible, it is advised to also implement the updates or workarounds provided by the vendor in the recent security advisory released on 23 February.  TRT Intel will continue to strive to provide proactive, risk-based assessments and indications and warnings of trending and emerging vulnerability threats to organizations.

 

References

https://www.vmware.com/security/advisories/VMSA-2021-0002.html 

https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-21972

https://swarm.ptsecurity.com/unauth-rce-vmware/

https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC (POC)

http://noahblog.360.cn/vcenter-6-5-7-0-rce-lou-dong-fen-xi/ (POC)

https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-exploits-to-encrypt-virtual-hard-disks/