module
VMware vRealize Operations (vROps) Manager SSRF RCE
| Disclosed | Created |
|---|---|
| 2021-03-30 | 2021-04-27 |
Disclosed
2021-03-30
Created
2021-04-27
Description
This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth
file write (CVE-2021-21983) in VMware vRealize Operations Manager to
leak admin creds and write/execute a JSP payload.
CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and
CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate
endpoint. Code execution occurs as the "admin" Unix user.
The following vRealize Operations Manager versions are vulnerable:
* 7.0.0
* 7.5.0
* 8.0.0, 8.0.1
* 8.1.0, 8.1.1
* 8.2.0
* 8.3.0
Version 8.3.0 is not exploitable for creds and is therefore not
supported by this module. Tested successfully against 8.0.1, 8.1.0,
8.1.1, and 8.2.0.
file write (CVE-2021-21983) in VMware vRealize Operations Manager to
leak admin creds and write/execute a JSP payload.
CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and
CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate
endpoint. Code execution occurs as the "admin" Unix user.
The following vRealize Operations Manager versions are vulnerable:
* 7.0.0
* 7.5.0
* 8.0.0, 8.0.1
* 8.1.0, 8.1.1
* 8.2.0
* 8.3.0
Version 8.3.0 is not exploitable for creds and is therefore not
supported by this module. Tested successfully against 8.0.1, 8.1.0,
8.1.1, and 8.2.0.
Authors
Egor Dimitrenko
wvu wvu@metasploit.com
wvu wvu@metasploit.com
Platform
Linux
Architectures
java
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.