On Tuesday, VMware released a bulletin that warns of up to 19 vulnerabilities in its vCenter Server and Cloud Foundation devices that a remote attacker might use to take control of affected systems.
The most serious is an unauthorized file upload vulnerability in the Analytics service (CVE-2021-22005), which affects vCenter Server 6.7 along with 7.0 deployments. The company stated that a threat actor with network access to vCenter Server’s port 443 might use this flaw to execute the malware on the server by uploading a specially designed file.
Even though, other flaws are not rated as critical, clients should not underestimate them, the company said:
“One of the biggest problems facing IT today is that attackers often compromise a desktop and/or user account on the corporate network, and then patiently & quietly use that to break into other systems over long periods of time. They steal confidential data, intellectual property, and at the end install ransomware and extort payments from their victims. Less urgent security vulnerabilities can still be potential tools in the hands of attackers, so VMware always recommends patching to remove them.”
In a blog post, the company said that this vulnerability might be exploited by anybody who can connect to vCenter Server via the network, independent of vCenter Server’s configuration settings.
Even though VMware has released fixes for the issue, the firm warns that they are just a temporary solution until upgrades can be applied.
The first ones to report the flaws were Sergey Gerasimov and George Noseevich of SolidLab LLC, Yuval Lazar of Pentera, Osama Alaa of Malcrove, and Hynek Petrak of Schneider Electric.
In a FAQ, VMware clarified that the consequences of [CVE-2021-22005] are significant, and it will only be a matter of time – perhaps minutes – before workable exploits are made public. The company also urged its customers to update their vCenter installations immediately.
With the risk of ransomware growing, the best course of action is to presume that an attacker has already gained control of a desktop and a user account via phishing or spear-phishing methods and respond accordingly. This indicates that the attacker may have already gained access to the vCenter Server from behind a corporate firewall, and time is important.