CVE spotlight: CVE-2021-21972 (VMware vCenter Server RCE)

Directory traversal vulnerability in “uploadova” function gives System level access.

CVE-2021-21972 background

Unauthenticated RCE over the network is the holy grail of attackers, and a new critical CVE announced by VMware on February 23rd, 2021 takes the cake. It has a CVSS of 9.8 out of 10 and allows the successful exploitation of vSphere Client (HTML5) to achieve System-level privileges on the underlying host. The vulnerability lies within the vROPS (vRealize Operations) plugin available by default on all vSphere Clients.

Walkthrough of the VMware vCenter Server RCE

VMware’s vSphere Client (HTML5) allows the management of virtualized environments for both Windows and Linux hosts. Connecting to the vSphere Client over the network is normal and expected, but also opens the attack pathway for this CVE. The plugin vROPS provides additional functionality for “intelligent operations management with application-to-storage visibility across physical, virtual, and cloud infrastructures,” according to VMware, and is where the vulnerable functionality resides.

Specially crafted requests on port 443 targeting the “uploadova” function can allow attackers to upload arbitrary files. In this case, the “uploadova” function accepts an attacker-selected file and creates a new file at “/tmp/yourfilehere”. After the file is uploaded, the code that extracts the contents of the uploaded file is vulnerable to directory traversal.

Abusing this directory traversal vulnerability allows attackers to upload files to any path on the system, allowing for actions such as overwriting SSH keys or uploading web shells. A successful file upload and abuse provides System-level privileges on the host running vSphere Client.

Perch is monitoring for attempts to exploit this vulnerability in the wild. Currently, a sufficiently knowledgeable threat actor could trivially convert the released information into an exploit. We expect this CVE to be heavily targeted and abused.

We created the following Suricata signature to detect a POST made to the “uploadova” URI. This may trigger on legitimate activity and a 200 OK response indicates success.

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:“VMware vSphere Client Exploit Attempt (CVE-2021-21972)"; flow:established,to_server; content:"/ui/vropspluginui/rest/services/uploadova”; fast_pattern; http_uri; content:“POST”; http_method; reference:url,https://www.vmware.com/security/advisories/VMSA-2021-0002.html; reference:cve,2021-21972; classtype:web-application-attack; sid: 900261; metadata:created_at 2021_02_24, cve CVE_2021_21972, signature_severity Critical, updated_at 2021_02_24;)

Recommendations

Patch or follow the remediation steps outlined below immediately.

• Restrict network access for vCenter to approved users only.
• Apply proper network segmentation and isolate vCenter from unnecessary visibility or access.
• Where appropriate, only allow remote access to vCenter through a VPN or similar solution.
• Please contact the Perch Security SOC (Security Operations Center) for any questions at: SOC@perchsecurity.com

Affected Versions

• vCenter Server 6.5, 6.7, 7.0
• Cloud Foundation 3.x, 4.x

Patches are available for the affected versions through VMware at the link below:

https://kb.vmware.com/s/article/82374

References

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

https://docs.vmware.com/en/vRealize-Operations-Manager/index.html

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Perch bulletin: FortiOS CVE-2018-13379