{"id":43109,"date":"2021-09-28T21:06:00","date_gmt":"2021-09-28T21:06:00","guid":{"rendered":"http:\/\/1548807c-2df2-4946-bd8e-c865c9045c45"},"modified":"2021-09-28T21:06:00","modified_gmt":"2021-09-28T21:06:00","slug":"exploit-released-for-vmware-vulnerability-after-cisa-warning","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/exploit-released-for-vmware-vulnerability-after-cisa-warning\/","title":{"rendered":"Exploit released for VMware vulnerability after CISA warning"},"content":{"rendered":"

A working exploit for CVE-2021-22005 — a vulnerability with VMware vCenter — has been released and is reportedly being used by threat actors, according to experts tracking the issue. <\/p>\n

Last week, VMware warned of a critical vulnerability<\/a> in the analytics service of vCenter Server and urged users to update their systems as soon as possible. <\/p>\n

On September 21, VMware said<\/a> that its vCenter Server is affected by an arbitrary file upload vulnerability in the Analytics service which would allow a malicious actor with network access to exploit this vulnerability to execute code on vCenter Servers. <\/p>\n

By September 24, VMware had confirmed reports that CVE-2021-22005 was being exploited in the wild and dozens of security researchers online reported mass scanning<\/a> for vulnerable vCenter Servers and publicly available exploit codes. <\/p>\n

CISA followed up<\/a> with its own warning on Friday, writing on Twitter that they expected “widespread exploitation of VMware vCenter Server CVE-2021-22005.” Like VMware, they urged users to upgrade to a fixed version as quickly as possible or apply the temporary workaround provided by VMware. <\/p>\n

That same day, cybersecurity company Censys released a report<\/a> showing that there were around 3,264 hosts that are Internet-facing and potentially vulnerable. More than 430 had been patched and 1,369 are either unaffected versions or have the workaround applied.<\/p>\n

In a statement to ZDNet, VMware reiterated that it has released patches and mitigation guidance<\/a> to address multiple vulnerabilities affecting VMware vCenter Server 6.5, 6.7 and 7.0. They have also issued a public security advisory. <\/p>\n

<\/section>\n

“Customer protection is VMware’s top priority, and we strongly recommend that affected customers patch immediately as indicated in the advisory. As a matter of best practice, VMware encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment and deploy our products in a security hardened configuration,” the company said. <\/p>\n

“Customers should also sign-up for VMware’s Security-Announce mailing list to receive new and updated VMware Security Advisories.”<\/p>\n

Derek Abdine, CTO of Censys, confirmed to ZDNet that they have reliably proven that remote execution is possible and easy to do. <\/p>\n

“I can confirm in-the-wild exploitation now. It looks like it’s related to the second vulnerability that is part of CVE-2021-22005. I haven’t seen evidence of exploitation using the hyper\/send endpoint (the other part of CVE-2021-22005), but that endpoint is slightly less viable because it has a prerequisite condition. The \/datapp endpoint is more concerning as there are no prerequisites and it is thought to exist on more versions of vCenter,” Abdine explained. <\/p>\n

“Also, internal exposure is still a big deal. There are quite a number of these externally facing, but that should not be the norm. Many organizations have private VMware clusters, and this issue will still present a significant risk to them if an attacker is able to leverage the exploit internally.”<\/p>\n

Will Dormann, vulnerability analyst at the CERT\/CC, also confirmed on Twitter<\/a> that the exploit for CVE-2021-22005 is now fully public. <\/p>\n

\"censys-vmware-1.png\"<\/span>