On Tuesday, 21 September 2021, VMware released a patch advisory for a new remote code execution (RCE) vulnerability in VMware vCenter Server tracked as CVE-2021-22005. vCenter Server is a server management solution that System Administrators use to manage virtual machines and virtualized hosts within enterprise environments via a single console. CVE-2021-22005 affects VMware vCenter 6.7x/7.0x and also affects VMware Cloud Foundation 3.x/4.x which bundles vCenter into the software.
Partial proof of concept (PoC) exploit code for CVE-2021-22005 has surfaced publicly and threat actors have begun to scan the internet for publicly accessible vulnerable vCenter Servers. Although the full working exploit for CVE-2021-22005 is not in the public domain, we expect threat actors to quickly fill in the gaps and begin exploiting this vulnerability in targeted ransomware attacks. Exploitation of CVE-2021-22005 can allow a threat actor with direct network access to a vulnerable system to remotely execute malicious code of their choosing.
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2021-22005 |
9.8 |
Critical |
Arbitrary File Upload & Remote Code Execution (RCE) |
The vCenter Server contains an arbitrary file upload vulnerability which could lead to RCE. |
Analysis
CVE-2021-22005
This is a file upload vulnerability in the vCenter Server. An unauthenticated attacker capable of accessing port 443 over the same network or directly from the internet could exploit a vulnerable vCenter Server by uploading a file to the vCenter Server analytics service. Successful exploitation would result in remote code execution on the host.
Solutions and Recommendations
This section provides details on the recommendations that Arctic Wolf suggests to remediate CVE-2021-22005.
Recommendation #1: Patch Affected VMware vCenter Server or Cloud Foundation Systems
Patching of vulnerable vCenter Server or Cloud Foundation systems is the best way to fully mitigate CVE-2021-22005. We recommend a priority focus on systems exposed to the public internet or vulnerable points of your internal network.
Below is a breakdown of each affected version of vCenter, Cloud Foundation and associated patch information.
Note: Cloud Foundation is VMware’s hybrid cloud implementation of vCenter Server and has vCenter bundled into the product which is why CVE-2021-22005 affects this software as well.
Vulnerable Product & Versions | Patched Version |
VMware vCenter Server versions 6.7x and 7.0x |
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3o-release-notes.html
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u2c-release-notes.html |
VMware Cloud Foundation versions 3.x and 4.x |
https://kb.vmware.com/s/article/85719
https://kb.vmware.com/s/article/85718 |
Recommendation #2 Explore Applying Temporary Mitigation for CVE-2021-22005
For organizations that cannot immediately patch, VMware has released a temporary workaround for this vulnerability that should only be applied as a temporary solution until a patch can be applied. VMware has provided a manual workaround option that involves editing an XML file and an automated method using a VMware supported Python script.
To apply this workaround, carefully review the steps provided by VMware here to understand potential impact to your vCenter or Cloud Foundation deployment.
References
- VMware Patch Advisory
- VMware Patch Advisory FAQ Page
- VMware vCenter 6.7.0.50000 Patch
- VMware vCenter 7.0.2.00400 Patch
- VMware Cloud Foundation 3.10.2.2 Patch
- VMware Cloud Foundation 4.3.1 Patch
- Workaround Instructions for CVE-2021-22005
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.