RCE is back: VMware details file upload vulnerability in vCenter Server

Once again, if a malicious actor can hit port 443 on vCenter Server, it's goodnight nurse.
Written by Chris Duckett, Contributor
Image: Shutterstock

If you haven't patched vCenter in recent months, please do so at your earliest convenience.

Following on from its remote code execution hole in vCentre in May, VMware has warned of a critical vulnerability in the analytics service of vCenter Server.

"A file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server," the company said in a blog post.

Handed the label CVE-2021-22005, the vulnerability hit a CVSSv3 score of 9.8, and means a malicious actor only needs to access port 443 and have a file to upload that is capable to exploiting an unpatched server.

The vulnerability hits versions 6.7 and 7.0 of vCenter Server Appliances, with builds greater than 7.0U2c build 18356314 from August 24 and 6.7U3o build 18485166 released on September 21 patched. The exploit does not impact vCenter 6.5 versions.

For those looking for a workaround instead of applying a patch, VMware has issued instructions. The workaround will be reverted once the server instance is patched.

VMware said users should patch immediately.

"The ramifications of this vulnerability are serious and it is a matter of time -- likely minutes after the disclosure -- before working exploits are publicly available," it said.

Other vulnerabilities addressed in VMware's advisory included CVE-2021-21991, a CVSSv3 8.8 local privilege escalation involving session tokens that would see users gain administrator access; CVE-2021-22006, a CVSSv3 8.3 reverse proxy bypass that could allow access to restricted endpoints; and CVE-2021-22011 that could allow for unauthenticated VM network setting manipulation.

All up, of the 19 vulnerabilities listed in its advisory, 10 were found by George Noseevich and Sergey Gerasimov of SolidLab.

Elsewhere, Claroty Team 82 detailed how it chained together a number of vulnerabilities in Nagios XI to gain a reverse shell with root remote code execution.

Although 11 vulnerabilities were found -- four of which were handed a CVSSv3 score of 9.8 and included an SQL injection -- only two were needed for the reverse shell: CVE-2021-37343, a path traversal vulnerability that allows for code to be executed as the Apache user; and CVE-2021-37347 that allows for local privilege escalation.

The auto login feature of Nagios XI that allows for read-only access to the Nagios dashboard without credentials greatly expanded the attack surface, Team 82 said.

"While this feature might be useful for NOC purposes, allowing users to easily connect to the platform and view information without the need for credentials also allows attackers to gain access to a user account in the platform, thus rendering any post-auth vulnerability exploitable without authentication," they said.

Patched versions of vulnerable Nagios XI products were released in August.

One reverse root shell coming up

Image: Claroty
Editorial standards