Last year, in February, a critical Remote Code Execution (RCE) vulnerability, VMSA-2021-0002 (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974), was announced in vSphere, a virtualization software platform developed by VMware. This vulnerability poses a significant threat to enterprises utilizing vSphere, allowing unauthorized access to servers without a valid account. It has been nearly a year since the release of the security patch, and we conducted an analysis using Criminal IP to assess the potential extent of the damage.

Impact of Damages Caused by Vulnerabilities in vCenter Server

Hackers can exploit the vulnerability (CVE-2021-21972) to upload files to the vCenter Server without authorization. The vulnerability arises from the lack of authentication in the vRealize Operations vCenter plug-in. Attackers can use the TCP/443 port, which grants access to the vCenter application without requiring ID/PW authentication. By uploading a specially crafted file to the vCenter Server endpoint via the vCenter administrator page, the hacker gains unlimited remote code execution (RCE) privileges. As a result, the hacker can execute arbitrary commands within the operating system managing the vCenter Server. Due to the potential complete hijacking of the server, this vulnerability is rated with a record-high risk score of 9.8 out of 10.

For more detailed information on the execution method of this vulnerability, you can visit the following blog:

Vulnerability ScriptsNS-Sp4ce/CVE-2021-21972QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POChorizon3ai/CVE-2021-21972yaunsky/CVE-2021-21972

The administrator page of vCenter is typically configured with a firewall that restricts access to infrastructure organizations within a company. However, in some cases where network separation is not effectively enforced, non-infrastructure department employees may gain access to the administrator page of vCenter. This allows insiders to bypass authentication and infiltrate critical vCenter servers. Consequently, hackers may exploit this situation by infecting the PCs of non-IT department employees, such as those in human resources, general affairs, or marketing teams, who may have relatively weaker security awareness. Subsequently, the hackers can use these compromised PCs to infiltrate the vCenter system.

However, a more serious concern arises when there are errors in the company’s firewall configuration or by infrastructure workers and developers who unintentionally expose the vCenter administrator page to the external internet. For example, suppose the TCP/443 port (HTTPS) used to access the administrator page of a specific company’s vCenter is already exposed on the internet. In that case, hackers can effortlessly infiltrate the company’s vCenter directly from the outside without infecting employees’ PCs. This grants them easy access to take control of multiple virtual servers operated by the vCenter.

Global Status of Servers Exposed to vCenter Vulnerability

Criminal IP provides a powerful tool for searching the current status of vulnerable servers. Nearly a year after the initial disclosure of the vulnerability, we investigated to determine the distribution of servers affected worldwide. By utilizing the vuln: filter in Criminal IP, users can easily check for vulnerabilities associated with specific CVE numbers. In the case of CVE-2021-21972, our findings reveal a staggering total of 3,294 IPs globally that still have vulnerable vCenters at the time of writing this article.

Among them, five countries—United States, Turkey, Germany, China, and France—ranked highest in terms of operating vulnerable vCenter Servers. Among these countries, the United States accounted for 50% of the featured vulnerable IPs, followed by Turkey with 16% and Germany with 14% consecutively.

The vulnerability filter in Criminal IP allows checking for CVE number-related vulnerabilities
Statistics on countries operating vulnerable vCenter servers

Upon reviewing the IP addresses obtained from the CIP search results, it is observed that all TCP ports 80/443 are open. Specifically, vulnerabilities associated with CVE-2021-21972 have been identified on TCP port 443 (HTTPS). Moreover, a significant number of these servers are flagged as having malicious IPs, with the corresponding inbound score classified as critical. The malicious history association analysis feature of CIP allows for the prediction of certain malignant behaviors.

SoftLayer Technologies Inc., as indicated by the corresponding ASN name in the provided screenshot, is a hosting and cloud company that IBM has acquired. Their hosting/cloud server runs on vCenter, enabling the possibility of infiltrating a server by compromising that particular vCenter. This, in turn, grants hackers relatively effortless access to a multitude of underlying virtual servers.

 After analyzing the IP addresses from the Criminal IP search results, it was found that they all have TCP ports 80 and 443 open

The Importance of Managing the Attack Surface

Even after nearly ten months since the initial disclosure and the release of security patches, a significant number of problematic servers worldwide still harbor approximately 3,294 vulnerable vCenters. Interestingly, these servers are predominantly found in small and medium-sized companies, possibly indicating a lack of resources and capacity for daily security checks. However, even large corporations are not immune to this issue. While they may conduct regular security assessments, it is often quarterly or yearly, leaving room for potential hacker infiltrations in the interim period.

In today’s rapidly changing IT services and infrastructure, developers often find themselves surprised by the pace of transformation. As a result, frequent server creation and disposal and recurrent exposure of application vulnerabilities have become the norm. However, many companies struggle to effectively manage their infrastructure status or monitor the real-time exposure of their systems in external cyberspace. This reality is evident in the persistence of thousands of identical vulnerabilities even a year after the vCenter vulnerability became known. It indicates that most companies either fail to respond to these issues proactively or are unaware of such security concerns.

To mitigate this problem, it is crucial to monitor the external points of attack within a company closely. It involves regularly checking the status of important ports that are vulnerable to external attacks, such as RDP and SSH. In some cases, where certain ports need to remain open for service purposes, it is essential to assess not only their openness but also the presence of any undetected vulnerabilities. This process of managing the external attack points in a company is known as Attack Surface Management.

While attack surface management is crucial, relying solely on traditional security checks conducted quarterly or semiannually is no longer sufficient. Hackers exploit the time gaps between these checks, making them ineffective in preventing infiltration. To address this challenge, the responsibility of attack surface management should be entrusted to automated systems rather than relying solely on human resources. As applications diversify and vulnerabilities emerge faster than ever, attack surface management has already become a vast project that defies human control. For further information, Criminal IP provides a solution called Criminal IP ASM that automatically monitors corporate attack surface daily. It is essential to defend against ever-changing attack points of IT infrastructure.

 The Attack Surface Management Solution, Criminal IP ASM
Criminal IP ASM performs daily automated checks on an organization’s attack surface

The Affected Servers and Solutions 

The vulnerable server versions include the plug-in vSphere Client (HTML5) of the vCenter Server, which is susceptible to remote code execution. The affected products include vCenter server versions and VMware Cloud Foundation platform versions.

VMware has announced a change in the compatibility matrix file, indicating that the vRealize Operations vCenter plugin will be marked as incompatible if an upgrade is not feasible.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]