‘Dangerous’ RCE in VMware: Patch, or the Puppy Gets It

A really nasty remote code execution vulnerability is being widely exploited right now. VMware vCenter can be trivially broken into by scrotes wielding ransomware and other nasties.

9.8 out of 10 is nothing to be sniffed at. It’s no time to be lying around in the grass pretending to be an insect. Get patching already.

And while you’re at it, why are you exposing unhardened admin tools to the internet? In today’s SB Blogwatch, we … squirrel.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: With this airshow, I thee wed.

Music of the vSpheres

What’s the craic? Simon Sharwood says—“VMware warns of critical remote code execution flaw”:

 As vCenter Server is the tool that drives a fleet of virtual servers, this CVSS 9.8-rated bug (CVE-2021-21972) is nasty.

A fix … is needed for vSphere versions prior to 7.0 U1c, 6.7 U3l, and 6.5 U3n. As those releases are all at least a few weeks old, users may already have addressed the issue. Users of Cloud Foundation 3.x and 4.x also need to get patching, pronto.

And Dan Goodin adds in—“Thousands of servers running vCenter server could be in for a nasty surprise”:

 Hackers are mass-scanning the Internet in search of VMware servers with a newly disclosed code-execution vulnerability that has a severity rating of 9.8 out of a possible 10. … Within a day of VMware issuing a patch, proof-of-concept exploits appeared from at least six different sources. The severity of the vulnerability, combined with the availability of working exploits … sent hackers scrambling.

Successful exploits will result in hackers gaining unfettered remote code-execution privileges in the underlying operating system … over port 443 [https]. … Admins who have vCenter servers directly exposed to the Internet should strongly consider curbing the practice or at least using a VPN.

Uh, you don’t say? Surely nobody would be so daft? Troy Mursch—@bad_packets—disagrees:

 14,858 results found on Binary Edge. … Mass scanning activity detected from hosts in Albania, Brazil, Canada, China, Germany, Hong Kong, India, Indonesia, Japan, Netherlands, Russia, Singapore, South Korea, Switzerland, United Arab Emirates, United Kingdom, United States [and] Vietnam.

Yikes. Who found it? Mikhail Klyuchnikov—“dangerous vulnerabilities that threaten many large companies”:

 [It] can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781). The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.

The attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system (such as information about virtual machines and system users). If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company’s external perimeter and also gain access to sensitive data.

Note that this vulnerability is dangerous. … It can be used by any unauthorized user.

Sky falling—film at 11 (ask your parents). Davey Winder boils up a delicious pot of copypasta—“What should you do to mitigate the risk?”:

 At the risk of sounding like a broken record, the headline answer to the mitigation question remains patch, patch, patch.

Needless to say—but I’m saying it anyway—you should also ensure that industry best practices to protect your organization against ransomware are followed, regardless of whether you are vulnerable.

Are you pondering what sigttou is pondering?

 Could anyone explain to me why the jsp shell is running as system user? Shouldn’t it be the user of the webserver?

But let’s return to the pachyderm in the parlor. Here’s jhodge:

 Your vCenter server should not be exposed to the Internet!

Who are these people putting 15,000 vCenter instances out there for the public to whack on? I can’t think of a single valid reason to do that, and I was a vCenter admin for years.

The stupid burns badly on this one.

Or just switch it off. Nate Amsden suggestifies thuswise—“kill openSLP”:

 You can run this command to see if the SLP service is even being used (at least on vSphere 6): esxcli system slp stats get

VMware suggested in the past to disable SLP if you are not using it. … As an extra check I ran nmap against the hosts to verify the port was closed after making the change.

Meanwhile, what is wrong with these sysadmins? Thorzdad has a go:

 Never underestimate the blindness of a sysadmin confident in their innate godhood.

And Finally:

What happens when two avgeeks get married

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Josh Rocklage(via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 629 posts and counting.See all posts by richi