Exploit code that could be used for remote code execution on VMware vCenter Server vulnerable to CVE-2021-22005 was released today and attackers are already using it.
Publicly disclosed earlier this week when VMware also fixed it, the bug comes with a critical severity rating of 9.8 and a strong recommendation to install the available patch.
The attacks have started
The vulnerability affects machines running vCenter Server versions 6.7 and 7.0. Given the seriousness of the problem, VMware urges administrators to act immediately, assuming an adversary is already on the network, ready to take advantage of it.
Exposed vCenter servers are currently being targeted from various countries across multiple ports, threat intelligence firm Bad packages shared with BleepingComputer today; VMware confirmed this in an update to its security advisory for CVE-2021-22005, an arbitrary file download vulnerability:
“VMware has confirmed reports that CVE-2021-22005 is being exploited in the wild”
Data recorded by Bad Packets shows that the attacks start hitting their VMware honeypots at 4:21 p.m. (GMT) from Canada, the United States, Romania, the Netherlands, China and Singapore.
Signs of these upcoming attacks were seen shortly after VMware revealed the security issue and released a fix. A few hours later, Bad Packets saw crawl activity targeting CVE-2021-22005.
The spark of achievement
Bad Packets research director Troy Mursch told BleepingComputer that the attacks he saw on the company’s honeypots used code based on an incomplete exploit published earlier today by a researcher in Vietnamese security. Jang.
Jang released Tech Notes for CVE-2021-22005 based on the workaround and fix from VMware. The details are enough for seasoned developers to create a working exploit that allows remote code execution with root privileges, the researcher told BleepingComputer.
At the end of the article, Jang also provides a link to his PoC version for CVE-2021-22005. It is not a fully functional variant, however, intentionally to prevent less skilled threat actors from using it directly in attacks.
The researcher told us that in its current form the code doesn’t hurt because it lacks the important part leading to remote code execution.
An opponent should make an effort to make it a full-fledged feat, but they should be able to create a 100% reliable feat.
Penetration Tester and Synack Envoy Nicolas Krassas tested the code and confirmed that it needs some tweaking to work properly. But it does prove that CVE-2021-22005 can be used to create a backdoor on a vulnerable system.
The attacks were imminent
Jang built a fully functional exploit and tested it in a controlled environment. He said it worked great, getting remote code execution before detection could catch him.
Currently, search engines for devices connected to the Internet display thousands of VMware vCenter Server instances exposed to the public Internet. Shodan has recovered over 5,000 machines while a rough search on Censys shows around 6,800.
However, not all servers are vulnerable to CVE-2021-22005. Censys notes that 3,264 of these hosts connected to the Internet are “potentially vulnerable” and 436 are fixed.
Still, the number of potential targets is quite high and given the early interest of threat actors in analyzing vulnerable machines, it is easy to conclude that the attacks were imminent.
Speaking to BleepingComputer about his incomplete feat, Jang said that a mid-level opponent should need around an hour to create a working and reliable version. He strongly advises administrators to patch their systems to defend against attacks using CVE-2021-22005.
The US Cybersecurity and Infrastructure Seurity Agency (CISA) urges critical infrastructure organizations with vulnerable vCenter deployments to apply VMware updates or temporary workaround.
A Censys article explains that a remote code execution exploit is not difficult to create based on technical details already published in the public space:
“The cURL-based exploit in the blog post does not demonstrate direct code execution, although a knowledgeable reader may use the information in this article to accomplish this goal with some knowledge of the Linux operating system. . Censys has decided to release this detail, as the opportunistic scan is already underway and the VMware workaround mentions the specific vulnerable endpoint. “
The researcher also posted a video to show how an attacker could exploit the vulnerability:
Update [September 24, 2021 – 17:41 EST]: Shortly after the publication, BleepingComputer learned that hackers had started exploiting CVE-2021-22005 using code published by security researcher Jang. We’ve updated the article with information about the attacks.