Exploit released for VMware vulnerability after CISA warning

VMware, CISA and many experts have been begging people to address the CVE-2021-22005 issue.
Written by Jonathan Greig, Contributor

According to experts tracking the issue, a working exploit for CVE-2021-22005 -- a vulnerability with VMware vCenter -- has been released and is reportedly being used by threat actors. 

Last week, VMware warned of a critical vulnerability in the analytics service of vCenter Server and urged users to update their systems as soon as possible. 

On September 21, VMware said that its vCenter Server is affected by an arbitrary file upload vulnerability in the Analytics service, which would allow a malicious actor with network access to exploit this vulnerability to execute code on vCenter Servers. 

By September 24, VMware had confirmed reports that CVE-2021-22005 was being exploited in the wild, and dozens of security researchers online reported mass scanning for vulnerable vCenter Servers and publicly available exploit codes. 

CISA followed up with its own warning on Friday, writing on Twitter that they expected "widespread exploitation of VMware vCenter Server CVE-2021-22005." Like VMware, they urged users to upgrade to a fixed version as quickly as possible or apply the temporary workaround provided by VMware. 

That same day, cybersecurity company Censys released a report showing that there were around 3,264 hosts that are Internet-facing and potentially vulnerable. More than 430 had been patched, and 1,369 are either unaffected versions or have the workaround applied.

In a statement to ZDNet, VMware reiterated that it had released patches and mitigation guidance to address multiple vulnerabilities affecting VMware vCenter Server 6.5, 6.7 and 7.0. They have also issued a public security advisory. 

"Customer protection is VMware's top priority, and we strongly recommend that affected customers patch immediately as indicated in the advisory. As a matter of best practice, VMware encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment and deploy our products in a security-hardened configuration," the company said. 

"Customers should also sign-up for VMware's Security-Announce mailing list to receive new and updated VMware Security Advisories."

Derek Abdine, CTO of Censys, confirmed to ZDNet that they have reliably proven that remote execution is possible and easy to do. 

"I can confirm in-the-wild exploitation now. It looks like it's related to the second vulnerability that is part of CVE-2021-22005. I haven't seen evidence of exploitation using the hyper/send endpoint (the other part of CVE-2021-22005), but that endpoint is slightly less viable because it has a prerequisite condition. The /datapp endpoint is more concerning as there are no prerequisites, and it is thought to exist on more versions of vCenter," Abdine explained. 

"Also, internal exposure is still a big deal. There are quite a number of these externally facing, but that should not be the norm. Many organizations have private VMware clusters, and this issue will still present a significant risk to them if an attacker is able to leverage the exploit internally."

Will Dormann, a vulnerability analyst at the CERT/CC, also confirmed on Twitter that the exploit for CVE-2021-22005 is now fully public. 


A map of where all VMware vCenter hosts accessible via the Internet are located. 


According to Bad Packets, hosts from Hong Kong, Vietnam, the Netherlands, Japan, Singapore, and other countries across the globe continue to scan for the vulnerability.

Abdine noted that while a patch has been available for days, there is a "patch saturation" phenomenon where patching never really reaches 100%. 

"For example, 5 days after the Atlassian Confluence blog post went out, we only saw a drop of 30% on total exposed, vulnerable confluence services. When the Western Digital My Book Live issue came up recently, we observed the same thing even in the consumer space (versus enterprise software for Confluence/VMware)," Abdine said.

"I think there are still plenty of hosts out there that are a concern. Greynoise.io and Bad Packets are both seeing opportunistic scanning that some are calling mass exploitation. However, from what I can tell so far, whoever is running these requests that Greynoise captures and Bad Packets are simply lifting URLs from community research (by Censys and @testanull on Twitter) and attempting to hit the URLs for those without full working knowledge of how to achieve execution." 

Now that an exploit has been released, Abdine added that the "floodgates opened," allowing any attacker with lower technical skills to perform mass exploitation.

"So all in all, I don't think we're out of the woods yet -- and again, it's very common to run VMware clusters in internal datacenters that are only accessible via company VPNs. Virtual machines should continue to run. However, the operations and management you get with vCenter will absolutely be affected while the upgrade takes place and may likely impact operations for organizations regularly using vCenter," Abdine said. 

John Bambenek, the principal threat hunter at Netenrich, told ZDNet that remote code execution as root on these types of devices is pretty significant. 

Almost every organization operates virtual machines, and if a threat actor has root access, they could ransom every machine in that environment or steal the data on those virtual machines with relative ease, Bambenek said. 

Like Digital Shadows threat intelligence team lead Alec Alvarado, other experts noted that threat actors follow the news as much as security researchers. Alvarado echoed what Abdine said, explaining that less sophisticated actors now have a chance to take advantage of the vulnerability thanks to the proof of concept. 

But for Bud Broomhead, CEO at Viakoo, the situation boiled down to patch management. 

"Managing patches manually leaves an organization at risk due to the slow (or non-existent) nature of the process, leaving an organization vulnerable," Broomhead said. 

Editorial standards