Critical Remote Code Execution Vulnerability in VMware Cloud Foundation NSX-V: CVE-2021-39144

Share :

On Tuesday, October 25th 2022, VMware disclosed a critical remote code execution vulnerability (CVE-2021-39144, CVSS 9.8) in VMware Cloud Foundation NSX-V versions 3.x and older. A threat actor could perform remote code execution in the context of ‘root’ on the appliance due to an unauthenticated endpoint that leverages XStream for input serialisation.

If your environment leverages VMware Cloud Foundation version 4 and above, no changes will need to be implemented as these versions are unaffected by this vulnerability.

NOTE: CVE-2021-39144 was initially published in August 2021 as a result of a remote command execution vulnerability in the XStream library. VMware Cloud Foundation NSX-V versions 3.x and older are vulnerable due to the usage of this library.

Arctic Wolf and VMware have not observed active exploitation of this vulnerability. However, the security researchers that responsibly disclosed the vulnerability published a detailed blog and proof of concept (PoC) exploit on October 25, 2022. We assess threat actors will likely begin exploiting this vulnerability within the near-term due to the publicly available PoC, the ease of exploitation, and the historical targeting of VMware appliances, including VMware Cloud Foundation. Threat actors have successfully exploited at least one other vulnerability in VMware Cloud Foundation (CVE-2021-21973), according to CISA’s Known Exploited Vulnerabilities Catalog. We strongly recommend applying the relevant security patch to impacted devices to remediate CVE-2021-39144 vulnerability and prevent potential exploitation.

Affected Products:

  • VMware Cloud Foundation (NSX-V) 3.11 and below

Recommendations for CVE-2021-39144

Arctic Wolf strongly recommends applying the security patch provided by VMware. For customers who are running older versions that are no longer supported, VMware recommends upgrading to a newer product release as soon as possible.

Please follow your organisation’s patching and testing guidelines to avoid any operational impact.

Upgrade VMware Cloud Foundation (NSX-V) to a Fixed Version

Upgrade Aruba EdgeConnect Enterprise Orchestrator to one of the following versions with the fixes to resolve all issues noted in the details section.

VMware Cloud Foundation Versions Upgrade Options
Prior to VCF 3.9.1 Upgrade to 3.11.0.1 or later and then apply the steps in the workaround section of this bulletin below.
VCF 3.9.1 and above Apply the steps in the workaround section of this bulletin below

Workaround

Step 1: Perform below steps on each VMware NSX-V instance deployed in your VMware Cloud Foundation environment

  1. Apply the NSX-v 6.4.14 patch available at the Product Patch page to all NSX-V instances (Management & VI Domain) in the environment.

Step 2: Perform below steps on each SDDC Manager VM deployed in your Cloud Foundation environment

  1. Login to SDDC manager Virtual Machine via SSH and sudo to root account
  2. Verify the NSX-V version on the inventory

<pre>

root@sddc-manager [ /home/vcf ]# curl localhost/inventory/nsxmanagers | json_pp
“id” : “<<NSX-v ID>>”,
“version” : “<<Current NSX-v Version>>”,
“status” : “ACTIVE”,
“hostName” : “nsxManager.vrack.vsphere.local”,
“domainId” : “dc5318d3-0f98-430a-9f49-2b33bbe97630”,
“managementIpAddress” : “10.0.0.9”,
“vmName” : “nsxManager”,
“vcenterId” : “995a88d4-d6b9-4b97-b6dc-ed72cce23976”

</pre>

Please note the following details:
The field “id” in response, corresponds to <<NSX-V ID>>.
The “version” field for each of the NSX-v provides the<<Current NSX-v Version>>.

  1. API to update NSX-v hot patch version: 6.4.14-20609341

<pre>

root@sddc-manager [ /home/vcf ]# curl -X PATCH ‘localhost/inventory/entities/<<NSX-v ID>>’ -d ‘{“version”:”6.4.14-20609341″, “type”:”NSXMANAGER”}’ -H ‘Content-Type:application/json’

</pre>

  1. Verify the NSX-V Version

<pre>

root@sddc-manager [ /home/vcf ]# curl localhost/inventory/nsxmanagers | json_pp
[
{
“managementIpAddress” : “10.0.0.9”,
“id” : “82cd67f9-77d5-4ff6-a3b3-fa4415492160”,
“opaqueBlob” : “…”,
“status” : “ACTIVE”,
“vmName” : “nsxManager”,
“hostName” : “nsxManager.vrack.vsphere.local”,
“version” : “6.4.14-20609341”,
“vcenterId” : “995a88d4-d6b9-4b97-b6dc-ed72cce23976”
}
]

</pre>

Note: Every time a new VI workload domain is created, these steps need to be performed.

References

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories