VMware vSphere (CVE-2021-21972)

July 2, 2023

In recent times, the realm of virtualization has become an indispensable part of modern IT infrastructure. Among the key players in this domain, VMware vSphere stands tall as a powerful and widely adopted virtualization platform. However, even the most robust systems are not immune to vulnerabilities. In this blog, we delve into the details of one such critical vulnerability that has garnered significant attention - CVE-2021-21972 in VMware vSphere. We will explore the nature of the vulnerability, how to exploit it, its potential impact, and the essential steps organizations can take to protect their virtual infrastructure.

Understanding CVE-2021-21972:

CVE-2021-21972 is a critical unauthenticated remote code execution vulnerability in the HTML5 vSphere client, a comprehensive virtualization platform used by countless organizations worldwide. This vulnerability primarily affects VMware machines that utilize the vRealize operations vSphere plugin. Exploiting this vulnerability allows attackers to issue malicious commands through publicly accessible ports. 

Of particular concern is the fact that the vRealize operations vCenter plugin is included in all default installations of vCenter Server. This means that VMware vClient endpoints are considered vulnerable, regardless of whether vRealize operations are used for cloud automation.

The vulnerability impacts several software configurations, including:

  • VMware vCenter Server versions 6.5, 6.7, and 7.0
  • VMware Cloud Foundation versions 3 and 4

Additionally, the vulnerability is present in VMware ESXi hypervisors that provide threat actors with network access to port 427. By exploiting heap overflows in VMware's Service Location Protocol (OpenSLP), attackers can achieve remote code execution. 

When it comes to its severity score, the CVE-2021-21972 has earned its place in the critical severity range, with a base security score of 9.8 out of 10 according to the CVSS. This high score reflects the significant potential for exploitation and the dire consequences it can bring. The vulnerability is deemed critical due to its ability to be exploited without requiring any privileges, presenting an alarming level of threat.

Furthermore, the exploitability score of CVE-2021-21972 is 3.9, indicating that malicious actors can orchestrate an attack with relative ease. The vulnerability does not demand sophisticated techniques or advanced privileges, making it accessible to a wide range of attackers. This ease of exploitation amplifies the urgency of addressing the vulnerability promptly.

Considering the impact of CVE-2021-21972, we find it classified with a CVSS impact score of 5.9. This high-impact rating underscores the potential consequences of an attack leveraging this vulnerability. A malicious actor with network access to virtual machines can exploit CVE-2021-21972 to execute arbitrary commands, potentially leading to unauthorized access, data breaches, and compromise of the virtual infrastructure.

What causes the issue: 

The root cause of the CVE-2021-21972 vulnerability lies in the improper validation of directory paths within the uploaded tar archive, also known as OVA (Open Virtual Appliance). This flaw specifically affects the vRealize operations plugin in VMware vSphere.

The vulnerability stems from a lack of proper authentication and authorization checks for the /ui/vropspluginui/rest/services/* endpoint. This means that attackers can exploit this endpoint without requiring any authentication, bypassing security measures.

Exploiting this vulnerability involves the creation of a malicious JSP (JavaServer Pages) shell, which is then uploaded to an arbitrary location within the targeted server. By doing so, the attacker gains administrative privileges over the affected VMware vCenter Server.

Essentially, the flaw in the Realize operations plugin allows unauthorized individuals to bypass authentication and execute arbitrary commands within the VMware vSphere environment. This lack of proper validation and authentication checks is the underlying cause of CVE-2021-21972.

Detecting and Exploiting CVE-2021-21972: 

Before diving into the exploitation of CVE-2021-21972, let's first understand the detection process and how to identify if a system is vulnerable to this security issue. By performing the following detection steps, we can determine the presence of the vulnerability:

Identifying the Issue

  • Send a GET request to the /ui/vropspluginui/rest/services/getstatus endpoint of the target vCenter server using the following command:
CleanShot 2023-05-19 at 15.53.09@2x.png
  • Examine the response received from the server and check for the following:
    - Look for an HTTP 200 OK response status, indicating that the endpoint is accessible.

  • Send a GET request to the /ui/vropspluginui/rest/services/uploadova endpoint of the target vCenter server using the following command:
CleanShot 2023-05-19 at 15.51.42@2x.png
  • Examine the response received from the server and check for the following:
    - Look for an HTTP 500 Internal Server Error response status, indicating a potential vulnerability.
    - Look for the word "uploadFile" in the response body, which confirms the existence of the vulnerability.

In the above response, we examine the presence of the 'uploadFile' parameter in the POST request. The presence of this parameter indicates that the vCenter server is prepared to accept a file as input. If we find the word "uploadFile" in the response body, it confirms the existence of the vulnerability. This indicates that the vCenter server allows file uploads without proper restrictions or validation, potentially leading to a remote code execution vulnerability.

In addition to detecting multiple instances manually, you can also leverage the Nmap NSE script provided in the GitHub repository mentioned (https://github.com/alt3kx/CVE-2021-21972). The repository contains an NSE script named 'CVE-2021-21972.nse', specifically designed to identify the CVE-2021-21972 vulnerability.

To utilize the nse script, execute the following command:

nmap -p443 --script CVE-2021-21972.nse <target>

CleanShot 2023-05-19 at 16.03.34@2x.png

Impact and Remediation: 

The impact of CVE-2021-21972 cannot be underestimated, as it exposes organisations to significant risks and potential consequences. Exploiting this vulnerability can have severe implications for the affected VMware vSphere environments.

Firstly, unauthorised individuals who successfully exploit CVE-2021-21972 gain administrative privileges within the VMware vCenter Server. This means they have complete control over the virtual infrastructure, including access to critical data. Once inside, attackers can exploit the compromised system to conduct various malicious activities. They can engage in opportunistic scanning to search for sensitive information, install malware to further compromise the environment, or even carry out server-side request forgery.