In a rare move, VMware published a blog post calling out ransomware groups as being adept at leveraging flaws like this post-compromise after having gained access to a network via other means such as spearphishing.
In a rare move, VMware published a blog post calling out ransomware groups as being adept at leveraging flaws like this post-compromise after having gained access to a network via other means such as spearphishing.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>VMWare exploits have been extremely popular recently, with sophisticated state-backed groups and intelligence services utilising them to assist in the successful execution of their campaigns. Patching, or the lack of, has been a growing concern within the cyber community, with the success of a large proportion of attacks in 2020 and 2021 being the result of patches not being implemented promptly.</p> <p> </p> <p>The vulnerability tracked as CVE-2021-21985 is graded high severity and relates to an issue from a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which is enabled by default in the vCenter Server. If exploited by an attacker with network access to port 443, they may be able execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. The flaw affects vCenter Server versions 6.5, 6.7, and 7.0 and Cloud Foundation versions 3.x and 4.x.</p> <p> </p> <p>VMware has released a patch to fix the vulnerability along with a further a further flaw tracked as CVE-2021-21986, that affects Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability and could allow an attacker to carry out actions permitted by the plug-ins without any authentication.</p> <p> </p> <p>The fixes for the vCenter flaws also come after last month when the company patched another critical remote code execution bug in VMware vRealize Business for Cloud, CVE-2021-21984, CVSS score: 9.8, due to an unauthorized endpoint, that could be exploited by an attacker with network access to run arbitrary code on the appliance. Due to its global prevalence, VMWare is a lucrative platform for attackers to target. Therefore, it is advised that any VMWare users implement the patches and mitigation advice published by the company.</p>
<p>VMware has disclosed a pair of vulnerabilities impacting vCenter Server, a centralized management software for VMware vSphere systems. The most severe flaw, CVE-2021-21985, is a remote code execution vulnerability in vSphere Client, assigned a CVSSv3 score of 9.8</p> <p> </p> <p>To exploit this vulnerability, an attacker would need to be able to access vCenter Server over port 443 in the firewall. Even if an organization has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network. </p> <p> </p> <p>In a rare move, VMware published a <a href=\"https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html\" data-saferedirecturl=\"https://www.google.com/url?q=https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html&source=gmail&ust=1622121100542000&usg=AFQjCNGwyXo3-n0mHctKY0-oYTO5ZShWpw\">blog post</a> calling out ransomware groups as being adept at leveraging flaws like this post-compromise, after having gained access to a network via other means such as spearphishing. With ransomware dominating the news, this context is important and reinforces VMware’s assertion that patching these flaws should be a top priority. Successful exploitation would allow an attacker to execute arbitrary commands on the underlying vCenter host.</p> <p> </p> <p>VMware also patched CVE-2021-21986, which is an authentication mechanism issue found in several vCenter Server Plug-ins and was assigned a CVSSv3 score of 6.5, making it moderately severe.</p> <p> </p> <p>VMware has provided patches for both flaws and organizations using vCenter Servers are advised to act immediately.</p>