On September 24, 2021, CISA issued an alert warning about multiple exploitation attempts for а critical vulnerability (CVE-2021-22005) in VMware vCenter Server. A heavy number of scans for the vulnerable servers broke forth after the Vietnamese security researcher Jang published an incomplete exploit for CVE-2021-2205. Jang’s technical notes were enough for experienced hackers to produce a working exploit enabling remote code execution with root privileges on the affected instance.
According to the VMware advisory, CVE-2021-22005 is a critical arbitrary file upload issue in the Analytics service that occurs to a misconfiguration with session tokens handling. In case successfully exploited, the flaw ensures remote code execution (RCE) with root privileges for any attacker able to reach vCenter Server over the network, regardless of vCenter Server configurations. Particularly, any hacker with network access to port 443 on vCenter Server may execute code on vCenter Server Appliance by uploading a specially crafted file.
On September 21, 2021, VMware publicly disclosed the notorious issue and released a patch to mitigate possible malicious activity. However, a few days later, a Vietnamese security researcher Jang posted an incomplete proof-of-concept (PoC) exploit for CVE-2021-22005, providing hints to overcome workarounds issued by VMware. Although the exploit was intentionally pruned to miss the important part enabling RCE, skilled threat actors are able to modify it into fully-fledged exploit code for successful attacks.
Currently, security researchers observe multiple scans for exposed vCenter servers from various countries, including Canada, the U.S., Romania, the Netherlands, China, and Singapore. A quick inquiry performed by Censys shows that over 7,000 VMWare vCenter instances are exposed to the public internet. Among these, 3,264 hosts are considered potentially vulnerable, and only 436 are patched.
In a view of the escalating ransomware threat, CVE-2021-22005 can pose an extreme danger since it provides an easy way for attackers to drop malicious payloads on the networks of critical infrastructure organizations.
The flaw affects all devices running vCenter Server versions 6.7 and 7.0, and due to its devastating consequences, receives a critical severity rating of 9.8. VMware has released a patch for the vulnerability accompanied by a detailed FAQ blog post so admins can upgrade their instances as soon as possible.
To detect CVE-2021-22005 exploitation attempts and protect organizations from intrusion, security practitioners can download a behavior-based Sigma rule by our keen Threat Bounty developer Onur Atali which is already available at the SOC Prime platform.
The rule includes translations for the following SIEM & SECURITY ANALYTICS platforms: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix.
Also, the rule is mapped to MITRE ATT&CK methodology addressing the Persistence tactics and the Web Shell sub-technique (t1505.003) of the Server Software Component (t1505) technique.
Looking for ways to address your custom use cases, boost threat discovery, and streamline hunting capabilities with a single cost-efficient solution? Explore the newly released SOC Prime’s platform that serves all your security needs in a single space driven to make your threat detection experience faster, simpler, and more intelligent. Want to join our crowdsourcing initiative and become one of our content contributors? Get started with the industry-first Threat Bounty Program!