VMWare issued an advisory on February 11th warning customers that vSphere Replication “contains a post-authentication command injection vulnerability in the Startup Configuration page.” A threat actor with administrative access is able to execute remote commands in an unpatched system, versions 8.3.x and below. The advisory has obtained a CVE rating that is currently under review, CVE-2021-21976. Patching is the only fix for the vulnerability as no workaround has been issued at the time of writing.
Analyst Notes
Since exploitation of this vulnerability requires an attacker to have administrative access, it is not as high a priority, but should still be scheduled in regular software patch cycles. Keeping software on production machines up to date with security patches is paramount to maintaining a strong security posture, although patching alone is no guarantee that a breach will not occur. Detections and watchlists monitoring infrastructure with a documented baseline of normal usage may allow for detection of anomalous behavior such as vSphere Replication executing shell code to be detected. Within the past five years, the National Vulnerability Database has recorded 235 vulnerabilities involving VMware a company with a strong reputation of security and safety. In order to combat exploitation and vulnerability, a company should consider supplementing their security program with a managed security service such as Binary Defense’s Security Operations Task Force and utilize a proactive approach employed by our Threat Hunting team to greatly reduce the risk of breach cost and occurrence.
https://www.vmware.com/security/advisories/VMSA-2021-0001.html
https://securityaffairs.co/wordpress/114619/security/vmware-command-injection-vsphere-replication.html
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=VMware&queryType=phrase&search_type=all&cpe_vendor=cpe%3A%2F%3Avmware&pub_start_date=02%2F15%2F2016&pub_end_date=02%2F15%2F2021
