Critical Unauthorized Remote Code Execution in VMware vCenter (CVE-2021-21972)

On February 23, 2021, VMware addressed a critical unauthorized remote code execution (RCE) bug (CVE-2021-21972) in its default vCenter Server plugin. Right after the announcement and the advisory release, threat actors started mass scans for publicly exposed instances. To date, researchers have detected 6700 VMware vCenter servers exposed to the attacks. As far as public proof-of-concept (PoC) exploits are already available on GitHub to facilitate the exploitation attempts, experts expect an avalanche of intrusions coming soon.

CVE-2021-21972 Description

The error resides in the HTML5 vSphere client. This misconfiguration allows unauthorized hackers (with access to port 443) to craft a specific request and execute arbitrary commands on the vulnerable server. As a result, adversaries can easily move across the compromised environments and steal sensitive corporate information. In fact, security analysts predict that vulnerability might be heavily exploited by ransomware gangs and other hackers searching for valuable data.

The flaw was revealed by Positive Technologies researcher Mikhail Klyuchnikov and reported to the vendor in autumn 2020. The public disclosure was planned later this year to give admins time to patch. However, a PoC exploit placed on GitHub on February 24, 2021, urges organizations to be quick at securing their systems. Notably, the PoC is an alarmingly trivial one-liner, which significantly increases the chances for massive vulnerability exploitation in the wild.

CVE-2021-21972 Detection and Mitigation

The flaw has been assigned a CVSSv3 base score of 9.8 (out of max 10), which makes the security hole highly critical. Currently, administrators are prompted to inspect the VMware advisory and patch ASAP. In case the patch can’t be immediately deployed, users should apply temporary mitigation advised by VMware. 

SOC Prime’s Senior Threat Hunting Engineer Adam Swan has released a community Sigma rule aimed at VMware vCenter RCE (CVE-2021-21972) exploitation attempts detection:

https://tdm.socprime.com/tdm/info/3OXu1LhU6yVQ#rule-context 

The rule has translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

EDR: Carbon Black

NTA: Corelight

MITRE ATT&CK:

Tactics: Initial Access, Privilege Escalation

Techniques: Exploit Public-Facing Application (T1190), Exploitation for Privilege Escalation (1068)

To reach the details for the dedicated Sigma rule and learn how it might enhance the detection of CVE-2021-21972, watch the recording of our webinar “Security Talks with SOC Prime: All about Sigma.”

In this session, Adam Swan speaks about Sigma rules creation and answers the questions regarding the vulnerability in question. Also, this webinar covers a lot of interesting topics related to Sigma, why it exists, and how anyone managing detections can benefit from using it.

Subscribe to Threat Detection Marketplace, an industry-first Detection as Code platform, and reduce the meantime of cyber-attack detection with our 95,000+ SOC content library. Have a desire to contribute to the community threat hunting activities? Join our Threat Bounty Program and get rewarded for your input!