Thousands of publicly accessible VMware vCenter Servers vulnerable to critical flaws

Three weeks after releasing patches for a critical vulnerability in VMware vCenter, thousands of servers that are reachable from the internet remain vulnerable to attacks. VMware vCenter is used by enterprises to manage virtual machines, the VMware vSphere cloud virtualization solution, ESXi hypervisors, and other virtualized infrastructure components.

Remote code execution and authentication bypass

On May 25, VMware published a critical advisory and released patches covering two serious vulnerabilities that stem from the use of VMware vCenter plug-ins. The first vulnerability, tracked as CVE-2021-21985, is caused by improper input validation in the Virtual SAN (vSAN) Health Check plug-in that’s enabled by default in vCenter Server.

VMware vSAN is used for storage virtualization, but even if the plug-in is not actively used, the presence of the plug-in on the server is enough to enable attacks. A hacker with access to the server over port 443 (HTTPS) can exploit this issue without authentication to execute commands with unrestricted privileges on the operating system that hosts vCenter Server versions 6.5, 6.7 and 7.0, as well as VMware Cloud Foundation 3.x and 4.x, which include vCenter Server.

The second vulnerability, tracked as CVE-2021-21986, is rated as medium severity and impacts the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMware Cloud Director Availability plug-ins. Attackers with access to a server over port 443 can perform actions allowed by the affected plug-ins without authentication.

Publicly exposed VMware servers

Researchers from security firm Trustwave recently performed a scan using SHODAN and identified 5,271 instances of VMware vCenter Server that are configured to be accessible from the internet. The vast majority of them (5,076) operate over port 443.

The researchers managed to connect to 4,969 of those servers and download information from their greeting banner, which includes more details about the specific version of the server such as build number and underlying operating system. The collected information revealed that 4,019, or 80.88%, of the scanned servers had not yet been patched for these flaws and that most of the remaining ones are running much older versions of the software that are considered end-of-life and are likely vulnerable to a variety of older issues.

If the ratio of unpatched servers is so high among publicly accessible servers, which are generally easier to attack and should be carefully monitored, it’s fair to assume that many vCenter Servers remain unpatched on private networks. However, attackers have many ways of gaining access to corporate networks, so attacking such servers would not be hard.

Proof-of-concept exploits and urgent need to patch

Since the patches were released in May, security researchers have developed and published proof-of-concept exploits for these issues, so potential attackers don’t have to spend much effort to start exploiting these issues in the wild. VMware warned users from the start that these vulnerabilities need to be patched as soon as possible and even published manual workarounds that involve editing the compatibility-matrix.xml file to disable the vulnerable plug-ins.

“If you ARE a vSAN customer, disabling the vSAN plugin will remove all ability to manage vSAN,” VMware said in a blog post. “No monitoring, no management, no alarms, nothing. This might be fine for your organization for very short periods of time but we at VMware cannot recommend it. Please use caution.”

“In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,” the company said.