Shortly after VMware released a security advisory for CVE-2021-21972, proof-of-concept (PoC) code appeared online for exploiting vCenter. This vulnerability was originally found and reported to VMWare by Mikhail Klyuchnikov of Positive Technologies who planned on giving the public plenty of time before releasing the technical details. Unfortunately, things didn’t go quite as planned and so they have decided to make their post public since the details are now known.
On both Linux and Windows Hosts, vCenter allowed for unauthenticated file uploads, leading to code execution. On Windows, a JSP file could be uploaded and served through HTTP. By uploading a webshell, an attacker could perform any action they wanted. Although it works a little different on Linux, the idea is still the same. By uploading an SSH key, it became possible to SSH into the host and perform any actions permitted by the account vCenter is running as.
CVE-2021-21972 has been given a Critical severity rating. With the PoC and technical details surrounding it released, Binary Defense highly recommends all administrators visit the VMware security advisory to apply the mitigation configuration update as soon as possible. All Internet-accessible instances are at very high risk of compromise. Administrators need to evaluate whether these servers need to be exposed directly to the Internet. Placing services that don’t need to be accessible to the general public behind a VPN offers an extra layer of security and can reduce a malicious actor’s initial attack vector. Internal vCenter servers could also be exploited by attackers who have gained a foothold on an employee’s workstation, and should also be patched.