Criminal IP analysis report on vSphere Critical Remote Code Execution Vulnerability

Last year February, a critical Remote Code Execution (RCE) vulnerability, VMSA-2021-0002 (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974) was announced in vSphere, a platform of VMware that provides computer virtualization software. Due to this vulnerability, enterprises using vSphere are faced with the problem of having their servers penetrated even without an account, and now it has been almost a year since the security patch was released. We looked at how much damage could be caused through our Criminal IP search.


The impact of damages caused by vulnerabilities

Hackers can exploit this vulnerability(CVE-2021-21972) to upload files to vCenter Server without proper authorization. The cause is the lack of authentication of the vRealize Operations vCenter plug-in. An attacker can perform an attack through the tcp/443 port that allows access to the vCenter application without any ID/PW authentications. In this way, by uploading a specially maneuvered file to the vCenter Server endpoint through this vCenter administrator page, the hacker can enjoy unlimited RCE privileges, and in the end the hacker can execute random commands in the OS that manages the vCenter Server. Since the server can be completely hijacked, this vulnerability is ranked with a record-high risk score of 9.8 out of 10.

You can check out more detailed execution method on the blog below:

Vulnerability Script: NS-Sp4ce/CVE-2021-21972QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POChorizon3ai/CVE-2021-21972yaunsky/CVE-2021-21972

In general, the administrator page of the vCenter is set up with a firewall so that it can only be accessed by infrastructure organizations within a company. However, in some cases, if the network separation is not solidly regulated within the company, even non-infrastructure department employees can access the administrator page of the vCenter, which enables those insiders to bypass account and infiltrate important vCenter servers. What naturally follows is that the hackers would infect PCs of non-it department employees(such as human resources, general affairs teams, marketing teams, etc) with relatively weak security awareness, and then consequentially infiltrate the vCenter through their PCs.

However, what is more serious is the company’s firewall setup error or the error of infrastructure workers and developers who inadvertently expose the vCenter administrator page to the outer Internet. If tcp/443 port (https) that shows the administrator page of a particular company’s vCenter is already exposed on the Internet, hackers can easily penetrate from the outside Internet to the company’s vCenter without having to infect their employees’ PCs, and easily take over multiple virtual servers run by the vCenter.

The global status of servers exposed to the vCenter vulnerability

The Criminal IP (CIP) enables the search for the current status of such vulnerable servers. At this point where nearly a year has passed after this vulnerability first came out, we investigated how servers with this vulnerability are distributed all around the world. If you use the vuln: filter in CIP, you can check for vulnerabilities with the CVE number, and after entering CVE-2021-21972, you can see that a total of 3,294 IPs around the world have vulnerable vCenters even as this article is being written.

Among them, five countries such as the United States, Turkey, Germany, China and France were the most highly ranked ones operating on the vulnerable vCenter Server and among the ones with vulnerable IPs featured United States(50%) followed by Turkey(16%) and Germany(14%) consecutively.

Now taking a look at the IP addresses rendered by the search results in CIP, it is noted that all tcp 80/443 ports are open, and in particular, CVE-2021-21972 vulnerabilities have been detected on tcp/443 (https) ports. Additionally, many of these servers are identified as having malicious IPs, with the inbound score of the corresponding IP being displayed as of critical grade. Namely, certain behaviors pointing to malignancy could be predicted by the malicious history association analysis feature of CIP.

SoftLayer Technologies Inc., shown in the corresponding ASN name in the screenshot below, is a hosting and cloud company acquired by IBM. It can be seen that its hosting/cloud server operates on the vCenter, which means that infiltration into a server is made possible by taking over just that vCenter, which consequentially permits hackers to penetrate a host of other underlying virtual servers without much effort.


The reason why we need to manage the surface, the point of attack

At this point where about 10 months have passed after the vulnerability was first revealed and the security patch was released, there still remain many problematic servers worldwide with about 3,294 vulnerable vCenters. In fact, companies with these servers are highly likely to be small and medium-sized companies, and it is probably due to negligence since it is virtually impossible for these companies to run security checks manually on a daily basis. However, large corporations are no exception because even if they make sure to conduct regular security checks, many of them would only conduct them on only a quarterly or a yearly basis at most, which does not exclude the possibility of hacker infiltration in the meanwhile.

Nowadays, we see that IT services and infrastructure are changing at a rapid pace that defies the expectation of some developers in charge, a change also marked by the process of server creation and disposal becoming ever more frequent and application vulnerabilities being recurrently exposed. But the reality is that more often than not, companies cannot fully manage their infrastructure status or monitor real time how their systems are exposed in external cyberspace. Accordingly, that thousands of the same vulnerabilities are still found after a year the vCenter vulnerability has been known is a testament to the fact that most companies fail to proactively respond to these problems are or are plainly oblivious to these types of security issues.

In order to resolve this problem, it is necessary to keep close tabs on the outer points of attacks within a company. It is also necessary to check whether important ports susceptible to external attacks are open(RDP,SSH, etc.) and in some cases where certain ports must remain open for service, it is also necessary to examine not whether such ports are open but whether those ports have undetected vulnerabilities. The task of managing these external attack points in a company is called Attack Surface Management.

As much as attack surface management is crucial, traditional security check processes executed only on a quarterly or a semiannual basis are already too late since they give hackers plenty of time for infiltration in between. Therefore, the whole task should be assigned to the system rather than to manpower. As applications diversify and vulnerabilities emerge faster than ever before, attack surface management has already turned into a vast project that defies human control. For further information, our CIP provides a solution called RMR that automatically monitors corporate attack surface every day. It is the most essential task of defending against ever-changing attacks points of IT infrastructure.

The Affected servers and solutions 

The server versions affected by this vulnerability are the ones of remote code execution within the plug-in vSphere Client (HTML5) of the vCenter Server, and the vCenter server product versions and VMware Cloud Foundation platform versions are shown vulnerable.

The VMWare company announced to change VMware’s compatibility matrix file and set vRealize Operations vCenter plugin to incompatible in case upgrade is currently impossible.

This article was written by drawing on data provided by Criminal IP. If you are keen to find out more about specific Criminal IP services as well as beta tester recruitment, feel free to head over to our LANDING PAGE that is NOW open!