How Hackers Are Exploiting VMware

VMware released a security update this week and has since warned of vulnerabilities to hackers. The security flaw is be tracked as CVE-2021-22005 and currently impacts all vCenter Server 6.7 and 7.0 deployments with default configurations. 

VMware released this statement:

“This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,” said Bob Plankers, Technical Marketing Architect at VMware.

An unauthenticated attacker who does not need user interaction can execute a very low complexity attack remotely. Attacks have already been happening on Internet-exposed VMware vCenter servers which are unpatched, due to the file upload vulnerability that was patched earlier this week and leads to remote code being executed. Code is apparently not yet available to the public, but attackers have been probing the existence of the critical bug merely hours after the VMware security update was released.

VMware has a bit of history with this type of vulnerability with issues as recent as June and February of this year.  Attacker’s mass scanned unpatched vCenter appliances for another critical security flaw and exploit code had been published online. 

More from VMware on how to address CVE-2021-22005:

“In this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.”

The company provides a workaround requiring admins to edit a text file on the virtual appliance and restarting services manually or using a script to remove the exploitation vector.

VMware also published a detailed FAQ documentwith additional questions and answers regarding the CVE-2021-22005 flaw.

“Immediately, the ramifications of this vulnerability are serious, and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available,”.

“With the threat of ransomware looming nowadays, the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spear phishing and act accordingly.

“This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.”

PCG Systems is a Denver based managed IT service provider specializing in end-to-end managed IT services & support, cybersecurity, and IT consulting.  Our goal is to be our client’s greatest asset while protecting your sensitive data.  To learn more please visit https://www.pcgsystems.com/ 

Josh Wise

Related Articles