On the 23rd of February 2021 VMware issued the VMSA-2021-0002 security advisory and one of the issues it addresses is VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21972). This is a critical issue, and if left unpatched could land your vSphere estate in big trouble as there is already Proof-of-Concepts available for this vulnerability. So get patching as soon as possible.
Of course, this can only be exploited if you have access to the VMware vCenter Client, so if the managment plane is isolated that helps mitigate the risk.
What worries me though, is that according to zdnet.com More than 6,700 VMware servers exposed online and vulnerable to major new bug. If these number are indeed correct, a lot of VI Admins needs to have a real hard look in the mirror. That being said. all zdnet seems to have done is to is to do a scan in Shodan for vCenter instances, and not actually check if any of the results are indeed vulnerable, even if they state the following:
More than 6,700 VMware vCenter servers are currently exposed online and vulnerable to a new attack that can allow hackers to take over unpatched devices and effectively take over companies' entire networks.
That number of instances are probably not vulnerable, as “only” vCenter versions prior to 6.5u3n, 6.7 U3l and 7.0 U1c are vunerable, and a bunch of these found in Shodan are most likely already patched, or running older versions. The real number of available and vulnerable instances is probably a lot less then 6,700, but that doesn’t mean that there isn’t a lot of systems out there waiting to be attacked.
Apparently there is already automated scans out there, looking for installations to exploit:
We've detected CVE-2021-21972 activity from other countries as well, but we can't fit any more flag emojis in the tweet. https://t.co/Hw7dG4TUws— Bad Packets (@bad_packets) February 27, 2021
Also, when your vCenter is exposed, so are your ESXi hosts and that leaves you open to being attacked with CARBON SPIDER and SPRITE SPIDER, ransomware. Once that happens, you’re in for a very bad day, week or even month.
Lars Trøen has posted a nice Twitter thread about the same, also linking to Shodan searches and links to a Proof-of-Concept for the exploit:
There is no reason to host neither your vCenter nor ESXi host on the public internet. https://t.co/la0KzXBiMS— Lars Troen (@larstr) February 28, 2021
Summary of his links from the thread:
- Shodan Search for vCenters
- Shodan Search for ESXi hosts
- PoC Unauthorized RCE in VMware vCenter
- The ESXi ransomware post-mortem (Reddit user NetInfused)
To be blunt; there is simply no valid reason why your VMware vCenter, or ESXi hosts, should be available over the internet, none what so ever. In fact, it shouldn’t even be available from non-admin clients in your local network, let alone via the internet. If that is the case in your environment, odds are that there are probably other big issues present in your infrastructure as well.
I am not saying that if you expose your VMware vCenter to the internet you deserve to be exploited, but I am really, really close.
Patch your stuff, and don’t expose your infrastructure to the internet. Simple.
- vSphere VCSA 6.5 Update 2 to 6.7 Update 1 Upgrade Issues —
- VCSA - The default choice. Always. —
- vCenter Server Appliance Backups —
- VMware Update Manager: Unsupported Configuration —
- ESXi5.5 to 6.0 Upgrade From Local HTTP Daemon —