{Updated on October 07, 2021}: A full working redacted Proof of Concept was released by an independent researcher, William Vu, on September 28, 2021. Within a few hours of the release of the proof of concept, cybercriminals were observed using the unredacted proof-of-concept in active exploits.
The proof of concept is separate from the partial POC released by Jang. This version can allow remote attackers to execute arbitrary code by using a reverse shell on a vulnerable server. The vulnerability can then be exploited by unauthenticated users remotely and allow attackers to upload a specially-crafted file to the vCenter Server Analytics Service. Since the patch to the critical vulnerability is already available, we recommend urgent patching of servers.
We urge organizations to continuously update all their enterprise assets so as not to be at risk of a ransomware attack.
On September 21, 2021, VMware published an advisory warning of nineteen vulnerabilities in their vCenter Server. Of the nineteen vulnerabilities, one CVE stands out as being extremely critical and potential to be exploited by ransomware—CVE-2021-22005.
Researchers at Cyber Security Works (CSW) analyzed these vulnerabilities from a Pentester’s perspective and here is their verdict.
“Any malicious actor who has network access to port 443 on vCenter Server can exploit CVE-2021-22005 easily and execute code by uploading a maliciously crafted file.”
~ A Pentester’s Perspective
Attackers Actively Scanning CVE-2021-22005
VMware products have been seeing several critical vulnerabilities in the last couple of weeks. After CVE-2021-21985, which also affects vCenter versions, this week’s critical vulnerability needs to be patched on priority before it can be exploited.
Our expert pentesters identified that CVE-2021-22005 is being actively scanned by threat actors and can have a massive impact if a ransomware gang has access to port 443.
Why is CVE-2021-22005 so dangerous?
-
The vulnerability is an arbitrary file upload flaw that can allow an attacker to upload a specially crafted file remotely.
-
The CVE has a CVSS v3 score of 9.8, making it an extremely critical vulnerability.
-
Successful exploitation of the vulnerability would allow remote code execution of the host. As VMware notes in a blog post, the vulnerability exists in vCenter Server in spite of configuration settings, therefore making the vulnerability exploitable by default in affected vCenter Server versions.
-
The CVE had not been assigned a CWE by NVD when this article was written.
-
The CVE has been trending in the wild since September 21, 2021, which was when the vulnerability was disclosed by VMware.
-
The CVE is seen trending in Asia-Pacific (APAC) region, specifically Singapore and Australia, and also in North America, Brazil, and parts of Europe.
-
VMware issued a temporary workaround for the vulnerability on September 22.
-
A partial PoC was released by a researcher called Jang on September 24. It was left partial so that companies have enough time to patch the vulnerability.
Trending regions for CVE-2021-22005
Vulnerable Products
The primary products that are most vulnerable to CVE-2021-22005 are vCenter Server versions 6.7, and 7.0. Shodan exposure details show that v7.0.1 and v7.0.2 are also affected by the vulnerability.
We urge organizations using VMware vCenter Servers to check if their server version is vulnerable by running the script recommended by VMware and update their servers thereafter to the newest versions after applying the workaround to the vulnerability.
What is the Global Exposure?
A global exposure analysis using Shodan shows that many product versions with the vulnerability are being widely used.
-
There are 6611 instances of VMware vCenter Server exposed to the Internet, with around 40% of the instances being found in the United States alone.
vCenter Server v6.7.0
-
VMware vCenter Server version 6.7 seems to be the most used product with over 1700 instances spread across the United States, Germany, China, France, Turkey, and Russia.
-
1640 instances of port 443 are prone to be exploited by attackers. Port 443 is considered the most vulnerable entry point for an attack that could compromise the host operating system as well.
-
Ports 8443, 9443, 10443, and 9001 could also serve as possible attack vectors for vCenter version 6.7.
vCenter Server v7.0.0
-
VMware vCenter Server version 7.0.0 has 146 instances of being in use and is primarily spread across the United States, China, Germany, Iran, and Hongkong.
-
130 instances of port 443 are prone to be exploited by attackers for v7.0.0.
vCenter Server v7.0.1
-
VMware vCenter Server version 7.0.1 has 146 instances of being in use and is primarily spread across the United States, China, Germany, Iran, and Hongkong.
-
167 instances of port 443 are prone to be exploited by attackers for v7.0.1.
vCenter Server v7.0.2
- VMware vCenter Server version 7.0.2 has 996 instances of being in use and is primarily spread across the United States, Germany, France, Turkey, and Iran.
-
942 instances of port 443 are prone to be exploited by attackers for v7.0.2.
Here are the plugin details used by scanners:
Names of Scanners | Plugins for CVE-2021-22005 |
Nessus | 153544, 153545 |
Nexpose | ‘vmsa-2021-0020-cve-2021-22005-vcenter’ |
Qualys | 216266, 216265 |
Patching this vulnerability should be a top priority for organizations.
The inference we can draw from our analysis of CVE-2021-22005 is that it is critical to upgrade to version 7.0 U2c, or 6.7 U3o if it is a virtual appliance.
CISA issued a warning on September 24, 2021, encouraging immediate action towards mitigating the issue as well.
We urge administrators to patch this vulnerability first before moving on to the scheduled patches as the imminent threat of a major ransomware attack similar to the DarkSide attack, looms menacingly.
Worried about cyber attacks? Are you sure there are no gaps in your security?
We can help shrink your attack surface. Talk to us!