Multiple critical security vulnerabilities in two VMware network administration tools that could allow an attacker to have full access to an organization’s network have been patched.
Users of the vCenter Server and Cloud Foundation products are urged to update immediately to protect against the issues, which are being tracked collectively as VMSA-2021-0020.
The most critical issue (CVE-2021-22005) is a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance.
A security advisory issued yesterday (September 21) warns that the vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.
While the other issues have lower CVSS scores, VMware has warned that they may still be usable to an attacker that is already inside an organization’s network.
The advisory reads: “One of the biggest problems facing IT today is that attackers often compromise a desktop and/or user account on the corporate network, and then patiently and quietly use that to break into other systems over long periods of time.
“They steal confidential data, intellectual property, and at the end install ransomware and extort payments from their victims.
“Less urgent security vulnerabilities can still be potential tools in the hands of attackers, so VMware always recommends patching to remove them.”
Patch batch
Among the other bugs in vCenter Server are a local privilege escalation vulnerability (CVE-2021-21991), a reverse proxy bypass vulnerability (CVE-2021-22006), and improper permission local privilege escalation vulnerabilities (CVE-2021-22015).
Chris Sedgewick, director of security operations at Talion, commented: “Due to its global prevalence VMWare is a lucrative platform for attackers to target, and recently VMWare exploits have been extremely popular, with sophisticated state-backed groups and intelligence services utilizing them to assist in the successful execution of their campaigns.
“Back in May, a similar exploit in vCenter was disclosed after Russian threat groups were exploiting it. Therefore, it is especially important for users to take swift action by quickly follow the recommended actions and implement the security updates for VMWare.”
There is a workaround available to mitigate the most critical vulnerability, however users are advised to patch their software against all issues.
VMware wrote: “All vulnerabilities, even ones with lower CVSS scores, are tools in the hands of attackers. We urge customers to patch vCenter Server immediately.”
More information including a FAQ can be found on the VMware blog.