CVE-2021-21972: RCE Vulnerability in VMware vCenter Server

Executive Summary

On Tuesday, February 23, VMware released an advisory and patch for a new remote code execution (RCE) vulnerability in VMware vCenter Server tracked as CVE-2021-21972. One day following this release, multiple researchers publicly posted Proof of Concept (PoC) exploit code for this vulnerability, leading to reports of widespread exploitation attempts in the wild.

Arctic Wolf assesses the risk posed by CVE-2021-21972 as high, and strongly recommends that customers running these affected versions of vCenter Server apply the patch or workaround immediately.

Arctic Wolf has deployed multiple detection measures against this threat and is actively monitoring customer environments for attacks exploiting this vulnerability.

Analysis

This vulnerability impacts the following versions of VMware vCenter Server:

• 7.0x prior to 7.0 U1c
• 6.7x prior to 6.7 U3l
• 6.5x prior to 6.5 U3n

After analyzing the technical details of this vulnerability, Arctic Wolf has determined that exploitation is trivial for threat actors and assesses there are two highly probable attack scenarios.

Scenario 1: Remote code execution against Windows system running VMware vCenter Server

1. Attacker identifies a vCenter Server accessible to the public internet or attacker has pre-established access to a target network and identifies an internally accessible vCenter Server.
2. Attacker crafts a backdoor Web Shell that connects back to a host they have control of. Using a Jakarta Server Pages (.JSP) Web Shell has been known to work in this attack scenario.
3. Attacker adds .JSP Web Shell (Let’s call it webshell.jsp) to a specially crafted .tar archive that contains directory traversal characters. Once the .tar file is extracted, this results in the webshell.jsp being placed in a different folder, such as /statsreport.
4. By exploiting an unauthenticated file upload flaw in VMware’s vCenter Client, the attacker sends a specially crafted HTTP POST containing the .tar archive to /ui/vropspluginui/rest/services/uploadova that extracts the webshell.jsp file in the archive upon upload to the /statsreport folder as outlined in step 3.
5. Attacker is then able to send specially crafted HTTP GET requests to execute remote commands. Example: GET /statsreport/webshell.jsp?cmd=whoami.
6. All remote commands sent are executed with SYSTEM-level privileges.

Scenario 2: Remote Code Execution against Linux System running VMware vCenter Server

1. Attacker identifies a vCenter Server accessible to the public internet or attacker has pre-established access to a target network and identifies an internally accessible vCenter Server.
2. Attacker checks that the system has SSH running via a port scan.
3. If SSH is running, the attacker then generates an SSH public/private key pair.
4. Attacker adds the text of the public key to a file called authorized_keys.
5. Attacker adds authorized_keys file to a specially crafted .tar archive that contains directory traversal characters that instruct the archive to be extracted in the target system’s /home/vsphere-ui/.ssh folder.
6. By exploiting an unauthenticated file upload flaw in VMware’s vCenter Client, the attacker sends a specially crafted HTTP POST containing the .tar archive to ./ui/vropspluginui/rest/services/uploadova that extracts the authorized_keys file in the archive upon upload to the /home/vsphere-ui/.ssh folder as outlined in step 5.
7. Attacker connects via SSH using their private key and logs in to the server with the same level of access as the vsphere-ui user.

Recommendations

1. Customers running versions version 6.5x, 6.7x, or 7.0x of VMware vCenter Server should ensure they update to versions 6.5 U3n, 6.7 U3l, or 7.0 U1c as soon as possible to mitigate the risk posed by this vulnerability.
2. Customers unable to immediately upgrade affected versions of vCenter Server are strongly advised to apply workaround mitigations as provided by VMware in this KB article.
3. Arctic Wolf also recommends that customers ensure their vCenter Server deployments are not accessible to the public internet, and that strong network access controls are put in place to limit access to only authorized users.