[German]At the end of May, in the post Vulnerability CVE-2021-21985 in vSphere Client, patch it! I had reported about a CVE-2021-21985 vulnerability in VMware vSphere client and called for patching. Now, not only has a proof of concept (PoC) become public. Attackers are also scanning the Internet for unpatched VMware vCenter Server instances.
Advertising
Security vendor Tenable points out these attacks on VMware vSphere Client exploiting the CVE-2021-21985 vulnerability in the following tweet.
CVE-2021-21985 allows remote code execution in the vSphere Client via the Virtual SAN (vSAN) Health Check plugin, which is enabled by default. This vulnerability has been assigned a CVSSv3 score of 9.8 (critical vulnerability). Exploitation is possible if an attacker is able to access vCenter Server via port 443. If an organization has not made its vCenter Servers publicly available, attackers could exploit this vulnerability once they are on a network. VMware specifically notes that ransomware groups are adept at exploiting vulnerabilities such as this one after they have been compromised and gained access to a network through other means such as spearphishing. Successful exploitation would allow an attacker to execute arbitrary commands on the underlying vCenter host.
Kevin Beaumont points out in this tweet that a public proof of concept (POC) that works is available. In addition, he writes, Mass scanning activity detected from 104.40.252.159 checking for VMware vSphere hosts vulnerable to remote code execution (CVE-2021-21985). One of his honeypots could record an infection via the mentioned vulnerability. The colleagues from Bleeping Computer also point out the issue in the following tweet and have published this article with more information.
Advertising
So anyone running VMware vCenter servers should make sure that the instances are patched. Otherwise, a ransomware infection is likely to be imminent.
