VMware under attack from 9.8 rated active exploitation

Get a free Techzine subscription!

A VMware vulnerability rated 9.8 out of 10 is under active exploitation. At least one exploit has been made public but there have been more successful attempts in the wild to compromise servers that run the compromised software.

The vulnerability is being tracked as CVE-2021-21985 and is found in the vCenter Server, a tool that manages virtualization in large-scale data centres.

A VMware advisory published this past week said vCenter machines with default configurations have a bug that in most networks can allow attackers to execute malicious code when the machines are reachable on a ‘naked’ port (one exposed to the internet).

It works reliably with no authentication needed

On Wednesday, a researcher published a proof-of-concept code that exploits the flaw. A fellow researcher, who asked to remain anonymous, said the exploit is a reliable one and that little if any, additional work is needed to use the code for nefarious reasons.

It can be reproduced with five requests made from a cURL, a command-line tool that transfers data over HTTPS, HTTP, IMAP, and other popular internet protocols.

Another researcher who tweeted about the exploit published by the other researcher was able to modify it to gain access with one click, no authentication is needed.

A serious problem

Kevin Beaumont, a researcher, said on Friday that one of his internet-connected servers running out-of-date software for monitoring active scanning and exploitation purposes began being remotely scanned by systems looking for vulnerable servers.

He tweeted 35 minutes later that one of his ‘honeypots’ got popped with CVE-2021-21985, while he was working. He added ‘I haz web shell,’ remarking on his surprise that it was not a coin miner.

A web shell is a command-line tool used by hackers after gaining code execution on vulnerable machines. After installation, attackers can remotely control the machine like an admin.