Blog

When A Critical Vulnerability Meets A Critical Asset

Naor Kalbo | June 24, 2021

The analysis behind VMware vCenter Server RCE vulnerability

On June 4, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) released an alert, asking VMware customers to urgently patch their systems due to the likelihood of cyber threat actors attempting to exploit the company’s vCenter Server and Cloud Foundation products. The related vulnerabilities were assigned respectively CVE-2021-21985 (with NVD’s score CVSSv3.1 9.8) and CVE-2021-21986 (with NVD’s score CVSSv3.1 9.8).

The technical details behind CVE-2021-21985 relate to the lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. Successful exploitation may lead to remote code execution and full control of the target machine, thus putting the organizational network at significant risk. Affected product versions include vCenter server 6.5, 6.7, and 7.0. The fact that vulnerable VMware software products might be a component of other vendor’s products, recently Philips reported the usage of VMware in its medical devices, is also concerning.

These VMware’s vulnerabilities are being published in a time when ransomware attacks are increasing, with the recent demonstration of how disruptive these attacks can be to every targeted industry or service provider.

Using the Forescout Device Cloud, Forescout researchers have evaluated the reported VMware vCenter Server vulnerabilities, profiled the vulnerable assets, and can now assist organizations to better protect against a malicious act within their perimeters.

VMware’s vCenter Server spread analysis

VCenter Server Instances Distribution

Our analysis shows that almost half of the organizations we analyzed have one instance of vCenter Server, nearly a quarter (26.4%) have two instances, and the rest have three or more (see chart).

Some organizations have more than 20 vCenter instances; each might run a different software version (e.g. End-of-life / vulnerable / patched ), which makes the patch management of these assets highly complex.

The Device Cloud data also shows that a vCenter Server manages approximately 450 VMware virtual hosts on average. This makes the attack surface highly attractive for malicious actors.

The top five industries impacted by these vulnerabilities are the Entertainment (~44.8%), Government (11.2%), Financial (9.7%), Healthcare (7.4%), and Discrete Manufacturing (6.4%) verticals (see chart below). It is likely that these industries could be targeted by malicious actors in the near future.

VMware VCenter Server Industry Distribution

vCenter Server native profiling

Version analysis

It is clear that version 6.7.0.X (X stands for any given minor version) is the most common version (54.2%), followed by 6.5.0.X (22.6%), 6.0.0.X (8.6%) and 7.0.X (~7%). The vulnerable software version lies within 6.7.X, 6.5.X and 7.0.X (excluding the latest patched version).

We estimate that 40%-50% of the observed hosts have not patched the systems and therefore are potentially vulnerable to a critical CVE-2021-21985 remote code execution attack. We also observed approximately 17% of the analyzed assets are using an End-of-Life software version which, although is not directly related to the recent vulnerabilities, exposes the organizational network to an increased risk.

VCenter Server Version Distribution

Running services (ports) and accessibility analysis

To exploit CVE-2021-21985, a malicious actor would need network access to port 443 (HTTPS) on the target machine. The majority of the systems running vCenter expose their TCP/80 (97%) port and TCP/443 port (96%) internally. This means that a malicious insider with a valid route to the target device could compromise it. Unfortunately, the vulnerability could also be exploited by a remote attacker in case a vulnerable device is exposed to the Internet. A search on Shodan reveals indeed that there are thousands of vulnerable Internet-facing vCenter Servers spread around the globe, suggesting that the possibility of a remote attack cannot be excluded.

Our analysis also shows that on average a vCenter Server will expose three to five open ports; excluding the above-mentioned ports (HTTPS and TCP), we did find that the most common open ports on those relate to IPSEC and SMB (both 59%), RPC (57%), Kerberos authentication system (45%), RDP (38%) and SSH (34%). See the treemap below for more details.

VCenter Server Open Ports Distribution

Hosting operation system analysis

The most common vCenter’s hosting OS is Windows, with a distribution of around 62%, followed by Linux OS (34%).
Windows-based only analysis shows that almost 70% of the vCenters runs over Windows Server 2016; The rest run over older or end-of-support and certainly not patched OS, such as Windows Server 2008 R2. Microsoft announced that Windows Server 2008 R2 reached the end of support lifecycles on January 14, 2020. Meaning, devices at a high-risk level due to the fact that no security updates will be released.

VCenter Server Operating System Distribution

Exploitation

To exploit vCenter Server using CVE-2021-21985, a malicious actor must have network access to port 443 (i.e., HTTPS) on the vCenter Server. The exploitation is straightforward: no authentication or elevated privileges are needed, and only some simple POST requests against the target will make the exploit work. If this weren’t enough, PoC exploits are already available in the wild, and both scanning and exploitation activities are trending.

Detection and mitigation

Forescout has released a Security Policy Template to detect vulnerable vCenter Server versions.

In VMware’s advisory, published on May 25, 2021, VMware asked their customers to consider this critical vulnerability as an “emergency change” and to patch vCenter Server to the latest available version:

Fixed versions:

Conclusion

VMware’s latest vulnerabilities represent a critical risk for organizations that should identify and patch vulnerable systems as soon as possible. VMware’s vCenter Server is typically a critical system within organizations with hundreds of other VMs connected to it. These new vulnerabilities, with publicly available exploits, could make the devices an appealing target for cyber-criminals, easily leveraging CVE-2021-21985 to get full control of the target machine. We advise Forescout’s customers to install the SPT to identify systems running a vulnerable (or EOL) version of VMware’s vCenter Server and patch them immediately.