Threat actors are exploiting a new critical unauthenticated, remote execution vulnerability in VMware vCenter Servers. Here's what you need to know.
On September 21, 2021, VMware issued an advisory that a vulnerability CVE-2021-22005 in their vCenter Servers was being actively exploited. The vulnerability allows a threat actor with access to port 443 to upload and execute files. There have also been reports by security researchers of mass scanning of Internet facing vCenter Servers and exploit code is widely available which can result in widespread attack.
Quick facts: what you need to know now
- A threat actor can upload and execute arbitrary files which could lead to the full compromise of the vCenter Server and virtual machines hosted on the hypervisor.
- Organizations with their vCenter Server available to the Internet are at most risk
- The affected VMware vCenter Server are version 6.5, 6.7, and 7.0.
Next Steps for All VMware Customers:
- Immediately patch vCenter Server to the latest version.
- If patching is not possible, leverage the workaround documented at https://kb.vmware.com/s/article/85717.
- Use the vCenter Server appliance firewall to limit access to the vCenter Server to only those systems that require access to vCenter.
- Search vCenter Server installations for directories created under "/var/log/vmware/analytics/prod" or "/var/log/vmware/analytics/stage directories".
- If subdirectories exist, it indicates that the vulnerability was exploited on your system. Note that threat actors could clean up directories post exploit so ensure additional investigation is performed to search for evidence of suspicious activity.
- If you find any suspicious activity, immediately disable remote access on the device and notify Corvus of a potential claim via firstname.lastname@example.org (Cyber policyholders) or email@example.com (Tech E&O policyholders). We will then connect you to counsel and a forensics firm to ensure your organization properly investigates, mitigates, and responds to the threat.
If you have any questions, please reach to the Risk + Response Team at firstname.lastname@example.org!