VMware vSphere (CVE-2021-21972)

Exploiting CVEs
July 2, 2023

In recent times, the realm of virtualization has become an indispensable part of modern IT infrastructure. Among the key players in this domain, VMware vSphere stands tall as a powerful and widely adopted virtualization platform. However, even the most robust systems are not immune to vulnerabilities. In this blog, we delve into the details of one such critical vulnerability that has garnered significant attention - CVE-2021-21972 in VMware vSphere. We will explore the nature of the vulnerability, how to exploit it, its potential impact, and the essential steps organizations can take to protect their virtual infrastructure.

Understanding CVE-2021-21972:

CVE-2021-21972 is a critical unauthenticated remote code execution vulnerability in the HTML5 vSphere client, a comprehensive virtualization platform used by countless organizations worldwide. This vulnerability primarily affects VMware machines that utilize the vRealize operations vSphere plugin. Exploiting this vulnerability allows attackers to issue malicious commands through publicly accessible ports. 

Of particular concern is the fact that the vRealize operations vCenter plugin is included in all default installations of vCenter Server. This means that VMware vClient endpoints are considered vulnerable, regardless of whether vRealize operations are used for cloud automation.

The vulnerability impacts several software configurations, including:

  • VMware vCenter Server versions 6.5, 6.7, and 7.0
  • VMware Cloud Foundation versions 3 and 4

Additionally, the vulnerability is present in VMware ESXi hypervisors that provide threat actors with network access to port 427. By exploiting heap overflows in VMware's Service Location Protocol (OpenSLP), attackers can achieve remote code execution. 

When it comes to its severity score, the CVE-2021-21972 has earned its place in the critical severity range, with a base security score of 9.8 out of 10 according to the CVSS. This high score reflects the significant potential for exploitation and the dire consequences it can bring. The vulnerability is deemed critical due to its ability to be exploited without requiring any privileges, presenting an alarming level of threat.

Furthermore, the exploitability score of CVE-2021-21972 is 3.9, indicating that malicious actors can orchestrate an attack with relative ease. The vulnerability does not demand sophisticated techniques or advanced privileges, making it accessible to a wide range of attackers. This ease of exploitation amplifies the urgency of addressing the vulnerability promptly.

Considering the impact of CVE-2021-21972, we find it classified with a CVSS impact score of 5.9. This high-impact rating underscores the potential consequences of an attack leveraging this vulnerability. A malicious actor with network access to virtual machines can exploit CVE-2021-21972 to execute arbitrary commands, potentially leading to unauthorized access, data breaches, and compromise of the virtual infrastructure.

What causes the issue: 

The root cause of the CVE-2021-21972 vulnerability lies in the improper validation of directory paths within the uploaded tar archive, also known as OVA (Open Virtual Appliance). This flaw specifically affects the vRealize operations plugin in VMware vSphere.

The vulnerability stems from a lack of proper authentication and authorization checks for the /ui/vropspluginui/rest/services/* endpoint. This means that attackers can exploit this endpoint without requiring any authentication, bypassing security measures.

Exploiting this vulnerability involves the creation of a malicious JSP (JavaServer Pages) shell, which is then uploaded to an arbitrary location within the targeted server. By doing so, the attacker gains administrative privileges over the affected VMware vCenter Server.

Essentially, the flaw in the Realize operations plugin allows unauthorized individuals to bypass authentication and execute arbitrary commands within the VMware vSphere environment. This lack of proper validation and authentication checks is the underlying cause of CVE-2021-21972.

Detecting and Exploiting CVE-2021-21972: 

Before diving into the exploitation of CVE-2021-21972, let's first understand the detection process and how to identify if a system is vulnerable to this security issue. By performing the following detection steps, we can determine the presence of the vulnerability:

Identifying the Issue

  • Send a GET request to the /ui/vropspluginui/rest/services/getstatus endpoint of the target vCenter server using the following command:
CleanShot 2023-05-19 at 15.53.09@2x.png
  • Examine the response received from the server and check for the following:
    - Look for an HTTP 200 OK response status, indicating that the endpoint is accessible.

  • Send a GET request to the /ui/vropspluginui/rest/services/uploadova endpoint of the target vCenter server using the following command:
CleanShot 2023-05-19 at 15.51.42@2x.png
  • Examine the response received from the server and check for the following:
    - Look for an HTTP 500 Internal Server Error response status, indicating a potential vulnerability.
    - Look for the word "uploadFile" in the response body, which confirms the existence of the vulnerability.

In the above response, we examine the presence of the 'uploadFile' parameter in the POST request. The presence of this parameter indicates that the vCenter server is prepared to accept a file as input. If we find the word "uploadFile" in the response body, it confirms the existence of the vulnerability. This indicates that the vCenter server allows file uploads without proper restrictions or validation, potentially leading to a remote code execution vulnerability.

In addition to detecting multiple instances manually, you can also leverage the Nmap NSE script provided in the GitHub repository mentioned (https://github.com/alt3kx/CVE-2021-21972). The repository contains an NSE script named 'CVE-2021-21972.nse', specifically designed to identify the CVE-2021-21972 vulnerability.

To utilize the nse script, execute the following command:

nmap -p443 --script CVE-2021-21972.nse <target>

CleanShot 2023-05-19 at 16.03.34@2x.png

Impact and Remediation: 

The impact of CVE-2021-21972 cannot be underestimated, as it exposes organisations to significant risks and potential consequences. Exploiting this vulnerability can have severe implications for the affected VMware vSphere environments.

Firstly, unauthorised individuals who successfully exploit CVE-2021-21972 gain administrative privileges within the VMware vCenter Server. This means they have complete control over the virtual infrastructure, including access to critical data. Once inside, attackers can exploit the compromised system to conduct various malicious activities. They can engage in opportunistic scanning to search for sensitive information, install malware to further compromise the environment, or even carry out server-side request forgery.

Related posts :

Exploiting CVEs

Exploiting CVEs
April 1, 2024

Text4Shell(CVE-2022-42889)

Blog on CVE-2022-42889 explores a critical vulnerability found in Apache commons text in October 2022. Let's jump into its technicality.
Read More
Exploiting CVEs
March 29, 2024

RCE on MobSF(CVE-2024-21633)

This CVE exposes a critical security vulnerability in Apktool, a widely-used tool for reverse engineering closed-source, third-party Android apps.
Read More
Exploiting CVEs

Path Traversal in Openfire Admin Console

Enter CVE-2023-32315, an authentication bypass vulnerability discovered in Openfire, a popular XMPP server. This exploit grants malicious actors unrestricted access to the Openfire administrative console.
Read More
Web App Security
Web App Security
March 3, 2018

How missing access control can make your application hacker-friendly?

Welcome back, my hacker friends. If you have already gone through the OWASP TOP 10 for 2017, you will find that Broken Access…
Read More
Web App Security
November 21, 2017

Common security issues in Authentication – Part 1

Hey, everyone. This topic of authentication testing will actually be divided into two posts as it is quite a long topic and…
Read More
Web App Security
March 14, 2018

How self XSS got turned into a stored XSS?

self XSS Hey everyone. Our company ENCIPHERS recently conducted a penetration test for a certain client XYZ and in this post...
Read More

Mobile App Security

Mobile App Security
November 26, 2019

Awesome Android Application Security

Android Application Security This is a write-up of Android Application Security resources and tools which helps in Android...
Read More
Mobile App Security
July 2, 2023

Exploring Android Security: Safeguarding The Droid

The Android architecture implements different security layers that, together, enable a defense-in-depth approach. This means that the confidentiality, integrity or availability of sensitive user-data doesn't hinge on one single security measure.
Read More
Mobile App Security
January 15, 2020

Xposed Framework Plugins For Android Pentesting

The workflow of Xposed framework Plugins for Android Pentesting Xposed framework Plugins for Android Pentesting helps in...
Read More
An Award-Winning Cyber Security Consulting & Training Company
Email
Headquarter
Enciphers Labs Private Limited,
24th Floor, Tower B, Alphathum, Sector 90, Noida, Uttar Pradesh, India
Company
About usContact UsServicesTrainingBrand Kit
Useful links
Cyber Security PolicyData Protection PolicyResponsible DisclosurePrivacy PolicyHall Of Fame
© 2000-2022, All Rights Reserved