This comes after many researchers, and the US Cybersecurity and Infrastructure Security Agency (CISA), warned users about a future attack. The exploit, tracked as CVE-2021-22005, is now widely available, and cyber threat actors are taking advantage of it. VMware is a cloud computing technology company, and its vCenter Server provides a centralized platform for managing virtual infrastructures. Worryingly, the vulnerability does not require authentication and allows malicious actors to upload files to the vCenter Server analytics service. The widespread availability of this exploit could lead to less-skilled malicious actors getting involved. This would in turn lead to a greater number of attacks. VMware has released a patch to address the vulnerability and urges its customers to patch their vCenter Server.
VMware Customers at Risk
On Monday, September 27, exploit writer wvu put out an unredacted exploit for CVE-2021-22005. This works against endpoints with the Customer Experience Improvement Program (CEIP) component enabled. On the other hand, VMware said the vulnerability can be exploited by a wide range of actors. The company said it is exploitable “by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.” CISA tweeted that it expects widespread exploitation of the vulnerability, and urged users to upgrade to a fixed version as quickly as possible or apply the temporary workaround provided by VMware. Cybersecurity company Censys put out a report on September 24 which showed that there were around 3,264 “internet-facing and potentially vulnerable” hosts. The report added that over 430 had been patched, and 1,369 are either unaffected versions or have the workaround applied.
VMware’s Guidelines to Users
VMware strongly recommends that users patch their vCenter Server is they can. This is the fastest way to take care of the problem and completely remove the vulnerabilities. “Patching also carries less technical debt and less risk than using a workaround,” it adds. VMware also provides some options for users who are unable to patch right away. It recommends editing a text file on the VCSA and restarting services and is documented as part of the VMSA link here. Additionally, users may have other security controls that can protect them until they are able to patch it. This includes using network perimeter access controls, or vCenter Server Appliance firewall to curtail access to vCenter Server management interfaces. Furthermore, VMware strongly suggests limiting access to vCenter Server and other key management interfaces to only vSphere Admins. “Drive all other workload management activity through the VM network connections. This simplifies access control and makes the RDP or ssh management traffic subject to other security controls, such as IDS/IPS and monitoring.” To learn more about how you can step up your internet security game, check out our article on internet safety. It contains extremely helpful tips on safely navigating the internet. We also recommend reading up on how you can protect yourself and your organization from malware and ransomware.
