This blog contains information regarding a VMware vCenter public PoC that may be related to CVE-2021-21986. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog.
Update December 8, 2021
14:00 | On the 1st of December 2021, a Proof-of-Concept exploit for VMware vCenter was published on GitHub by a user with nickname l0ggg. The Proof-of-Concept exploit seems to leverage an unauthenticated arbitrary file read and a SSRF vulnerability in VMware vCenter version 7.0.2.00100 (update 2a).
Currently the Proof-of-Concept exploit has not been attributed to a particular CVE. In public discussions, it has been suggested the exploit may be related to either CVE-2021-21980 or CVE-2021-22049 as described in VMware Advisory VMSA-2021-0027.
However, based on our analysis, we believe the exploit may be related to CVE-2021-21986 as described in VMware Advisory VMSA-2021-0010.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
The Proof-of-Concept exploit allows an unauthenticated attacker to download arbitrary files from the VMware vCenter server, or access arbitrary websites via de VMware vCenter server.
Based on the information provided by VMware in Advisory VMSA-2021-0010, the following versions are vulnerable:
- VMware vCenter prior to 7.0 U2b
- VMware vCenter prior to 6.7 U3n
- VMware vCenter prior to 6.5 U3p
What can I do to reduce or stop potential damage?
VMware published a patch on the 25th of May 2021, applying the patch as soon as possible is advisable. In case applying the patch is not possible, a workaround is available in KB83829.
In general, it is strongly recommended to limit access to the VMware vCenter web interface and to not expose the service to the internet.
The exploit described the following attack techniques:
- Unauthenticated arbitrary file read – This allows an attacker to download arbitrary files from the local disk. Based on our analysis this appears to be limited in scope to the user vsphere-ui which is member of the group users.
- Unauthenticated server-side request forgery (SSRF) – This allows an attacker to access web pages or web portals from the VMware vCenter server. This may lead to privilege escalation or be used for lateral movement.
We believe this exploit may be related to CVE-2021-21986 based on the following observations:
- VMware vCenter version 7.0.2.00100 (build 17920168 – update 2a) appears to be the last vulnerable version. As of version 7.0.2.00200 (build 17958471 – update 2b), the Proof-of-Concept exploit no longer works.
- Applying the workaround, specifically for the “VMware Cloud Director Availability” plugin, as described in KB83829 prevents the Proof-of-Concept exploit to work.
- CVE-2021-21986 describes a vulnerability in the authentication mechanism of specific plug-ins, including the “VMware Cloud Director Availability” plugin. The URL used in the Proof-of-Concept exploit is related to the “VMware Cloud Director Availability” plugin.
- Once the patch or workaround is applied, the Proof-of-Concept exploit no longer functions and a “HTTP Status 401 – Unauthorized” message is returned from vCenter.
- PoC exploit
- VMware Advisory VMSA-2021-0010
- VMware Advisory VMSA-2021-0027
- VMware KB83829 – workaround CVE-2021-21986
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.