Threat status: Widespread threat
Attacker utility: Network infrastructure compromise
Update Tuesday, March 2, 2021: Community members have confirmed in-the-wild exploitation of CVE-2021-21972 to deliver web shells and malware (credit to @0x80O0oOverfl0w). There are at least four proof-of-concept (PoC) exploits publicly available. vCenter Server customers who have not patched and who have vCenter exposed to the internet should strongly consider conducting incident response investigations.
On Tuesday, February 23, 2021, VMware published a security advisory on three vulnerabilities affecting their vCenter Server, ESXi, and Cloud Foundation products. The most severe of these is CVE-2021-21972, a critical remote code execution vulnerability in the vSphere Client (HTML5) component of VMware vCenter’s vROps plugin. The vulnerability allows an attacker with network access to port 443 to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
The affected vCenter Server plugin for vROps is available in all default installations; vROps does not need to be present to have this endpoint available. CVE-2021-21972 carries a CVSSv3 base score of 9.8. Mikhail Klyuchnikhov of Positive Technologies has technical details available here.
While there have not yet been any reports of exploitation in the wild, there are reports of opportunistic scanning, and several proofs-of-concept (POC) have been published. In-depth technical detail is publicly available as of February 24, 2021. Rapid7 categorizes CVE-2021-21972 as an impending threat, but we expect active and widespread exploitation to occur quickly. We strongly recommend updating to one of the fixed versions VMware has released on an emergency basis, or deploying the workaround immediately if updating is not possible.
Affected products
- vCenter Server 7.x before 7.0 U1c
- vCenter Server 6.7 before 6.7 U3l
- vCenter Server 6.5 before 6.5 U3n
- Cloud Foundation (vCenter Server) 4.x before 4.2
- Cloud Foundation (vCenter Server) 3.x before 3.10.1.2
Rapid7 analysis
vCenter Server is a perennially valuable target for both sophisticated and commodity attackers, and CVE-2021-21972 gives an attacker broad latitude to compromise network infrastructure across affected vCenter installations. Rapid7 researchers have independently analyzed, tested, and confirmed exploitability of the vulnerability: Remote code execution is straightforward using multiple vectors, and our team was able to use an arbitrary file write as the vsphere-ui user to upload an SSH key or webshell to a vulnerable vCenter Server running on Linux.
Rapid7 researchers began with a copy of the vROps (vRealize Operations) plugin in vCenter Server. While analyzing the plugin’s ServicesController class, which implements the /ui/vropspluginui/rest/services endpoints, Rapid7 researchers discovered an endpoint that appeared vulnerable to file upload and path traversal. The /ui/vropspluginui/rest/services/uploadova endpoint is shown below.
@RequestMapping(value = {"/uploadova"}, method = {RequestMethod.POST})
public void uploadOvaFile(@RequestParam(value = "uploadFile", required = true) CommonsMultipartFile uploadFile, HttpServletResponse response) throws Exception {
logger.info("Entering uploadOvaFile api");
int code = uploadFile.isEmpty() ? 400 : 200;
PrintWriter wr = null;
try {
if (code != 200) {
response.sendError(code, "Arguments Missing");
return;
}
wr = response.getWriter();
} catch (IOException e) {
e.printStackTrace();
logger.info("upload Ova Controller Ended With Error");
}
response.setStatus(code);
String returnStatus = "SUCCESS";
if (!uploadFile.isEmpty())
try {
logger.info("Downloading OVA file has been started");
logger.info("Size of the file received : " + uploadFile.getSize());
InputStream inputStream = uploadFile.getInputStream();
File dir = new File("/tmp/unicorn_ova_dir");
if (!dir.exists()) {
dir.mkdirs();
} else {
String[] entries = dir.list();
for (String str : entries) {
File currentFile = new File(dir.getPath(), str);
currentFile.delete();
}
logger.info("Successfully cleaned : /tmp/unicorn_ova_dir");
}
TarArchiveInputStream in = new TarArchiveInputStream(inputStream);
TarArchiveEntry entry = in.getNextTarEntry();
List<String> result = new ArrayList<String>();
while (entry != null) {
if (entry.isDirectory()) {
entry = in.getNextTarEntry();
continue;
}
String parsedFileName = FilenameUtils.getName(entry.getName());
logger.info("Original Path in OVA : " + entry.getName() + " | Parsed Path : " + parsedFileName);
File curfile = new File("/tmp/unicorn_ova_dir", parsedFileName);
File parent = curfile.getParentFile();
if (!parent.exists())
parent.mkdirs();
OutputStream out = new FileOutputStream(curfile);
IOUtils.copy((InputStream)in, out);
out.close();
result.add(entry.getName());
entry = in.getNextTarEntry();
}
in.close();
logger.info("Successfully deployed File at Location :/tmp/unicorn_ova_dir");
} catch (Exception e) {
logger.error("Unable to upload OVA file :" + e);
returnStatus = "FAILED";
}
wr.write(returnStatus);
wr.flush();
wr.close();
}Rapid7 researchers confirmed that uploading an OVA file containing a path traversal allowed for an arbitrary file write as the vsphere-ui user on Linux. Writing an SSH key and a webshell were both tested successfully.
Analysis of the patch yielded no changed code, though the endpoints now require authentication. Thus, the vulnerability remains, and either credentialed access or an auth bypass will open up a target to continued exploitation.
Guidance
VMware customers that expose vCenter to the internet on port 443 should immediately restrict access and monitor for signs of suspicious activity. vCenter Server users should apply the workaround and/or update to one of the fixed versions VMware has released as soon as possible; organizations would be well-advised to consider invoking emergency patch procedures given the severity of the vulnerability and the potential for network infrastructure compromise. If you are unable to update to a new fixed version of the software immediately, you can disable the vROps plugin by following VMware’s directions here: https://kb.vmware.com/s/article/82374.
References
https://swarm.ptsecurity.com/unauth-rce-vmware/
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
https://kb.vmware.com/s/article/82374
https://blog.rapid7.com/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/
