Attackers are targeting the remote code execution vulnerability in VMware’s vCenter Server that the company disclosed last week, and there is large-scale scanning activity ongoing from a number of separate sources looking for vulnerable instances and working exploit code publicly available.
VMware has confirmed that attackers are actively exploiting the flaw, and security researchers have seen a variety of actors running mass scans across the Internet searching for vulnerable hosts. As of Friday, security firm Censys identified more than 3,200 potentially vulnerable vCenter Server instances exposed to the Internet, offering a broad target base for attackers. The vulnerability (CVE-2021-22005) allows a remote attacker to upload an arbitrary file without authentication, and it affects several current versions of vCenter Server.
“Understanding the new conditionals in AsyncTelemetryController makes vulnerability development trivial. You are, in effect, asking VMware’s unauthenticated analytics service (which collects telemetry data from other components of vCenter to report to VMware’s cloud) to write a file to disk in a path of your choosing. When data is sent to the telemetry service, it is first written to a log file using log4j2into the either /var/log/vmware/analytics/stage (if using the /ph-stg endpoint), or /var/log/vmware/analytics/prod (if using the /ph endpoint),” Censys CTO Derek Abdine wrote in an analysis of the bug.
“Once the file has been written, the last step is to find an external mechanism that will execute the data contained in the file. This is not difficult, as there are very well known locations in Linux-based operating systems that will read a file with any extension and execute its contents. Censys has confirmed execution, but will not release this last step to give defenders a bit more time to patch.”
The vulnerability affects versions 6.7 and 7.0 of vCenter Server, as well as versions 3.x and 4.x of Cloud Foundation. For organizations that cannot deploy the fixed version of the software immediately, VMware has published a workaround to mitigate the vulnerability.
The ingoing attacks against the vulnerability prompted the Cybersecurity and Infrastructure Security Agency to issue an advisory urging organizations to update as soon as possible.
“Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability,” the advisory says.