Running VMware vCenter Server? It's patch-o-clock, yesterday, because there is a howling great CVSS 9.8-rated, remotely exploitable vulnerability in it (CVE-2021-22005) and exposed users should assume compromise.
VMware itself spelled it out late September 21: "The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available."
The pre-authentication remote code execution (pre-auth RCE) vulnerability, allocated CVE-2021-22005, was reported to VMware by George Noseevich and Sergey Gerasimov of Russia's SolidLab LLC. (Scanning activity for exposed servers has started, security intelligence firm Bad Packets said early on September 22, 2021.)
While an estimated 90% of VMware vCenter devices are located entirely inside the perimeter, Positive Technologies in February -- reporting another critical CVE -- found over 6,000 internet-facing VMware vCenter devices worldwide open to attack. (Each can, in theory, be managing up to 70,000 VMs and 5,000 hosts...)
See also: Exclusive - We name NATO's New CIO
VMware described CVE-2021-22005 as an "arbitrary file upload vulnerability in the Analytics service". An attacker with network access to port 443 on vCenter Server can exploit it by uploading a specially crafted file.
The critical vulnerability is one of 19 in vCentre that were patched this week by VMware. It affects vCenter Server 6.5, 6.7, and 7.0. (vCentre Server is the management interface to VMware's server virtualisation products, and lets users manage up to 70,000 VMs and 5,000 hosts. Compromise can have monstrous impact.)
VMware emphasised that emergency patching will not impact workloads running on vSphere clusters. Users will lose the ability to manage vSphere and connect to VM consoles, but the workloads will stay running.
"Emergency" VMware vCentre server vulnerability CVE-2021-22005
"With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence," VMware advised, adding that "organizations that practice change management using the ITIL definitions of change types would consider this an 'emergency change.'"
The security vulnerability comes six months after another critical (also CVSS 9.8) RCE bug in vCentre Server (CVE-2021-21972) was reported to the company by Russian security firm Positive Technologies.
"The biggest issue most environments have when curtailing access to vSphere management interfaces is that this prevents use of VM consoles. However, just as most organizations wouldn't let everybody in their organization access the physical consoles of servers in the data center, we don't recommend that customers allow everyone access to core infrastructure management. Instead, drive VM & workload management activity towards RDP & SSH direct to the workloads themselves" VMware noted in its FAQ on the vulnerability.
"Done in this way, those management connections are easier to secure (especially with distributed firewalling via NSX-T), monitored more thoroughly (vRealize Log Insight & vRealize Network Insight), and can be directly scrutinized by workload network security controls like IDS & IPS systems" VMware added.
The company admitted that "by not explicitly showing best practices we have left a gap for many customers who are not as security-knowledgeable as they might need to be nowadays. We are working to fix that with more prescriptive guidance, which is already apparent in the updates to the vSphere Security Configuration Guide." More to follow.