VMware vCenter vulnerability: Inside a critical remote code execution flaw
VMware addressed a remote code execution (RCE) vulnerability in VMware ESXi and VSphere Client virtual infrastructure management platform that could be exploited by criminals to execute arbitrary commands and take control of the vulnerable systems. Let's dive into this critical vulnerability, highlighting the most important details of this flaw.
The RCE flaw allows an unauthenticated user to send a specially crafted request, which opens the door for the execution of arbitrary commands on the server-side. The flaw was tracked as CVE-2021-21972 and has a CVSS score of 9.8, affecting several versions of the software.
“A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,” the company said in its advisory. [CLICK IMAGES TO ENLARGE]
Figure 1: VMware flaw-affected versions.
Details of the VMware RCE vulnerability
This vulnerability (CVE-2021-21972) could be used by criminals to breach the external perimeter of an enterprise data center by taking advantage of backdoors already installed on a system to find other vulnerable points of the network to take over the affected systems.
A second vulnerability — a server-side request forgery (SSRF) — was also discovered by PT Swarm, the company that discovered these vulnerabilities. The CVE-2021-21973 with a CVSS score of 5.3 allows unauthorized users to send HTTP-POST requests to execute further attacks, including the ability to scan the target's internal network and retrieve information about the open ports of various services.
Researchers found an unauthorized request didn't require any kind of authentication on the following component: /ui/vropspluginui/rest/services/*.
Figure 2: Vulnerable plugin on VMware VCenter.
The web application relies on plugins installed on the server-side, and the PT Swarm researchers found that a specific plugin is not well-configured, allowing unauthorized users to access any URL it handled.
In this way, the uploadOvaFile function responsible for the URL was analyzed in detail and explored to get an RCE condition as described below.
Figure 3: Part of the vulnerable code used to upload an arbitrary file into the server-side.
As highlighted, during the file upload step, a copy of each current entry is created on disk using the file naming convention: /tmp/unicorn_ova_dir + entry_name. The problem here is that the names of the .tar entries are not filtered, and can be modified to take advantage of “path traversal + RFI” due to bad development on the file parser function.
According to the researchers, “This meant we could create an archive entry containing the string “../,” which would allow us to upload an arbitrary file to an arbitrary directory on the server.”
By using a .tar evil file and uploading it, researchers were able to create a file on the server-side as presented in figure four.
Figure 4: Text file uploaded inside an arbitrary directory (created by researchers).
From web shell to RCE
From this point, it’s possible to upload arbitrary files into the server-side. To get an RCE condition, a web shell can be used by sending the next .tar file with the target path.
As noted, the testRCE.jsp web shell is created on the target path, and an RCE condition is obtained with system privileges.
Figure 5: RCE condition obtained via web shell.
Here, we see the web shell was successfully uploaded into the server-side and executed with system privileges — higher privileges on Windows systems.
RCE on Linux
On Linux instances, the challenge can be a little bit different, but very trivial as well. Instead of uploading a web shell, researchers can take advantage of the SSH service to add a trusted machine into the authorized_keys file and then get a valid SSH connection.
Figure 6: Malicious authorized_keys file created with the researchers’ public keys.
Next, the vulnerable system can be reached via SSH.
Figure 7: Valid SSH connection within the vsphere user context.
Avoiding VMware risk and vulnerabilities
VMware VCenter is a technology largely used around the world inside internal networks allowing the management of several and critical assets. With this vulnerability in place, criminals can successfully move through the internal networks and gain access to the data stored in the vulnerable systems, including virtual machines, system users and more.
Through this point, an internal reconnaissance can be done using the vulnerable machine as a pivot in lateral movement attacks.
It’s highly recommended that users update their systems to eliminate the risk associated with the flaws, and also remove VCenter Server interfaces from the perimeter of the organizations and allocate them to a separated VLAN with limited access on the corporate network.
Sources:
VMware VCenter vulnerability, PT Swarm
Advisory VMSA-2021-0002, VMware (hyperlink: https://www.vmware.com/security/advisories/VMSA-2021-0002.html)
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- VMware vCenter vulnerability: Inside a critical remote code execution flaw
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis