VMware published a security alert on Tuesday, March 30th, outlining two separate severe vulnerabilities within their vRealize Operations, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager software. The vulnerabilities were reported to VMware by Egor Dimitrenko, a Positive Technologies penetration tester. The first vulnerability is tracked as CVE-2021-21975 and received a CVSS score of 8.6 out of 10. CVE-2021-21975 is a Server-Side Request Forgery (SSRF) vulnerability found in the vRealize Operations Manager API and permits threat actors with network access to perform SSRF attacks and steal administrator credentials. The second bug is tracked as CVE-2021-21983 and received a CVSS score of 7.2 out of 10. This arbitrary write vulnerability does require an attacker to be authenticated and have network access to exploit.
If an attacker has access to the same network from which the vulnerable VMWare servers accept incoming requests, they would be able to exploit CVE-2021-21975 and attempt to steal administrator credentials. Once stolen, they could then use those credentials to “write files to arbitrary locations on the underlying photon operating system.” That’s why it is always best to limit direct access to servers and not permit open access from the Internet unless necessary. Patches have been issued for the vulnerabilities, which impact vRealize Operations Manager 7.5.0, 8.0.1, 8.0.0, 8.1.1, 8.1.0, 8.2.0, and 8.3.0 on any type of operating system deployment. The flaws also affect VMware Cloud Foundation versions 3x and 4x, alongside vRealize Suite Lifecycle Manager 8x. Binary Defense recommends updating and patching critical servers as soon as possible after security patches are released. VMware has provided work-around mitigation information for IT administrators that are unable to update their systems immediately. Those can be found here: https://kb.vmware.com/s/article/83210. Patch information can be found here: https://kb.vmware.com/s/article/83265.