Skip to content
Search
Get A Demo
Free SIEM
    Get A Demo
    Free SIEM
      February 24, 2021

      Critical VMware vCenter RCE (CVE-2021-21972) Exploits Released

      What Happened

      Positive Technologies discovered a vulnerability in VMware vCenter/vSphere that allows an unauthenticated attacker to remotely execute code on the VMware hypervisor (CVE-2021-21972). The vulnerability was first reported to the vendor on October 2 2020, and a patch was released by VMware on February 23 2021.

      Is a weaponized exploit available yet?

      Proof of concept code has indeed been released to GitHub shortly after the patch was released allowing any attacker with access to the code the ability to take advantage of the vulnerability.

      How Bad is This?

      Bad. Any threat actor who can reach port 443 on your vCenter server can completely compromise the device, the data, and any VMs it contains.

      Several exploits are now public – you should expect that these will be used immediately to facilitate attacks. Scanning for vulnerable systems has been seen:


      What Should I Do?

      Make sure no vCenter assets are directly exposed to the internet; if they are, sever that access and triage those hosts for indications of compromise. If not directly exposed to the internet, prioritize patching quickly because a locally networked device could be used to exploit internal hosts. It only takes one phishing email for an actor to breach the perimeter.

      Your options are ordered from most complete in remediation, to more temporary measures:

      Option 1:
      Apply the patch according to your version.

      Option 2:
      Employ a workaround to disable the vulnerable location on the server. Here are instructions on how to do that, from VMware’s knowledge base: https://kb.vmware.com/s/article/82374

      Option 3:
      Use network firewalls to restrict access on port 443 to trusted hosts only.

      How to Detect

      Watch for unusual access to vCenter hosts on port 443; if possible, target requests for the URI paths:

      /ui/vropspluginui/rest/services/
      /ui/vropspluginui/rest/services/uploadova

      For further technical details, see:
      https://swarm.ptsecurity.com/unauth-rce-vmware/

      Tag(s): Security Alerts , Blog , CVE

      Brian Laskowski

      Brian has 5 years of experience in IT, with prior work including linux systems administration to most recently leading the threat intelligence program at the State of Michigan security operations center. Other areas of focus have included, incident response, threat hunting, memory analysis, adversary emulation, and...

      More from the blog

      View All Posts
      Security Alerts
      6 min read | July 1, 2024

      New Unauthenticated Remote Code Execution Flaw Identified in OpenSSH Server

      Read More
      Security Alerts
      5 min read | April 12, 2024

      CVE-2024-3400: Palo Alto Vulnerabilities in GlobalProtect Gateway Lead to RCE

      Read More
      Security Alerts
      18 min read | April 3, 2024

      CVE-2024-3094: xz-utils (liblzma) Backdoor

      Read More