In response to VMware published details of two newly disclosed vulnerabilities in VMware vRealize Operations, expert commented below.
Researchers have disclosed a pair of vulnerabilities in VMware’s vRealize Operations (vROPs). The most severe flaw, CVE-2021-21975, is a server-side request forgery (SSRF) vulnerability in the vROPs Manager API. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable vROPs Manager API endpoint. Successful exploitation would result in the attacker obtaining administrative credentials.
VMware also patched CVE-2021-21983, an
VMware also patched CVE-2021-21983, an arbitrary file write vulnerability in the VROPs Manager API, which can be used to write files to the underlying operating system. This vulnerability is post-authentication, meaning an attacker needs to be authenticated with administrative credentials in order to exploit this flaw.
While on their own, these vulnerabilities may not seem as severe as CVE-2021-21972, a remote code execution vulnerability in VMware’s vCenter Server that was patched in February. However, if attackers chain both CVE-2021-21975 and CVE-2021-21983 together, they could also gain remote code execution privileges.
VMware has provided patches for both flaws across vROPs Manager versions 7.5.0 through 8.3.0. They’ve also provided a temporary workaround to prevent attackers from exploiting these flaws. The workaround should only be used as a temporary stop-gap until organizations are able to plan for applying the patches.
@Satnam Narang, Senior Research Engineer, provides expert commentary at @Information Security Buzz. "his vulnerability is post-authentication, meaning an attacker needs to be authenticated with administrative credentials in order to exploit this flaw...." #infosec #cybersecurity #isdots https://informationsecuritybuzz.com/expert-comments/chained-vulnerabilities-in-vmware-vrealize-operations-could-lead-to-unauthenticated-remote-code-execution
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics