INTRODUCTION
VMware vCenter servers are vulnerable to a critical remote code execution flaw. The unpatched servers are being actively hunted and exploited by malicious actors.
DETAILS
Bad Packets’ team discovered the vulnerability with the company’s chief research officer Troy Mursch tweeting “Mass scanning activity detected from 104.40.252.159 checking for VMware vSphere hosts vulnerable to remote code execution.”
The findings were validated by Kevin Beaumont, head of security operations center at Arcadia Group Ltd.
VMware vCenter server is a utility for server management that allows the controlling of virtual machines and other components, all from a centralized location.
Proof of Concept for the vulnerability was also published with the flaw being tracked as CVE-2021-21985 bearing a CVSS score of 9.8. The flaw follows the absence of an input validation in Health Check plug-in’s Virtual SAN (vSAN), consequently allowing a malicious actor to execute commands arbitrarily – even with the access to elevated privileges – on the underlying Operating System hosting the server.
VMware’s vCenter plug-in is not inexperienced when it comes to critical vulnerabilities. In February, the company had to rectify a similar critical remote code execution vulnerability which also allowed an attacker to exploit the target machine in an almost indistinguishable fashion as CVE-2020-21985.
According to Bad Packets, as many as 14,858 vCenter servers were found on the internet, ready for any threat-actor to start working their way in.