VMware has disclosed and patched a critical security hole in vRealize Business for Cloud that an unauthenticated attacker could exploit to remotely execute malicious code on vulnerable servers.
vRealize Business for Cloud is an automated cloud business management solution that IT teams could use for cloud planning, budgeting, and cost analysis tools.
The CVE-2021-21984 security vulnerability impacts virtual appliances running VMware vRealize Business for Cloud version 7.6.0 and prior.
It was a web security researcher Egor Dimitrenko of Positive Technologies who discovered and reported the bug to VMware.
Attackers can exploit this security flaw using management interface (VAMI) upgrade APIs to gain access to unpatched vRealize Business for Cloud Virtual Appliances.
“VMware vRealize Business for Cloud contains a remote code execution vulnerability due to an unauthorised end point,” VMware said. “VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.”
This critical RCE vulnerability can be exploited without authentication with zero user interaction, the company noted.
VMware addressed this security issue has in VMware vRealize Business for Cloud 7.6.0. The company recommends taking snapshots before applying the security patch.
To fix the vulnerability on virtual appliances, owners of vRealize Business for Cloud first need to download the Security Patch ISO file from the VMware Downloads page.
Next, owners need to complete these steps to upgrade their appliances:
- Connect the vRealize Business for Cloud Server Appliance CD-ROM drive to the downloaded ISO file.
- Log in to VAMI portal of vRealize Business for Cloud as a root user.
- Open the Update tab of the VAMI UI, then Settings.
- Select Update Repository>Use CDROM Updates and mount the downloaded ISO file and click Save Settings.
- Click Install Updates on the Status tab to perform the upgrade.
VMware advises admins update appliances as soon as possible.
VMware vulnerabilities have been exploited in the past. In December, Russian state-sponsored threat actors exploited a VMware Workspace One zero-day vulnerability and stole sensitive information. In addition, RansomExx, Babuk Locker, Darkside, and others have also used RCE exploits to encrypt VMWare ESXi instances’ virtual hard disks.