Thousands of VMware Servers Left Vulnerable
Thousands of VMware Servers Left Vulnerable to a Critical RCE Bug
Last year, a critical RCE (Remote Code Execution) vulnerability was discovered in the vRealize Operations vCenter plugin found in all default vCenter server installations. The bug allowed bad actors to gain elevated privileges in the underlying OS of the vulnerable devices without any authentication. It allowed them to upload a specially crafted file to internet-facing, exposed servers over port 443. The remote attacker could then execute any malicious code on the compromised devices.
What Made the Vulnerability so Critical?
A vCenter server is commonly deployed inside large corporate networks, allowing IT professionals to manage VMware products installed on all of the organization’s local devices. The vulnerability could potentially provide an entry point to the hackers who could further compromise other endpoints and systems managed through the vCenter server. Based on its risk, VMware classified the vulnerability as highly critical, giving it a CVSS v3.0 score of 9.8.
VMware released an official patch on February 23, 2021, addressing some security flaws in VMware ESXi, Cloud Foundation, and vCenter Server, including CVE-2021-21972—the aforementioned vulnerability.
Positive Technologies, the security firm that discovered the vulnerability, had planned to keep the details of the bug private until companies running vCenter Client could patch the software. However, several proof-of-concept exploit codes were released shortly after the patch was released, exposing more than 67000 vCenter servers.
Through the publicly accessible proof-of-concept exploit codes, even amateur threat actors could launch successful attacks without any prior knowledge of an organization’s internal infrastructure. Attackers were immediately on the lookout for vulnerable vCenter servers connected to the internet.
All they had to do was to run a shodan.io query to find a list of unpatched vCenter servers still connected to the internet. Bad Packets, a threat intelligence company, warned of the ongoing mass scans, urging companies running VMware systems to hasten their remediation efforts and update their systems as soon as possible.
How Should Companies Respond to Such Incidents?
In order to handle these critical and actively exploited vulnerabilities, system administrators must expedite mitigation activities and conduct enterprise-wide compromise assessments to find potential exploits and their impact within the organization.
Once official patches are released, organizations should apply the software updates right away. To minimize threat exposure, access to internet-facing servers should be limited only to authorized users on the corporate VPN or the internal network. To further limit the impact of a successful compromise and to avoid hackers from transgressing freely from one compromised device to other assets, a zero-trust policy should be enforced. The zero-trust approach suggests that only the data and systems necessary to perform one’s duties should be accessible to authorized users and computer systems.
Attackers sometimes leverage a vulnerability to gain a foothold in an organization’s IT infrastructure. They can lay undetected for quite some time, gathering intelligence to gain a nuanced understanding of your environment. They may be able to move stealthily until they find a better target to maximize the impact of a full-scale cyberattack.
Those who’ve had unpatched software deployed for any length of time should assume that their systems have been compromised. They should conduct a thorough network audit to detect anomalies in user behaviors, network traffic, and connections to and from the exposed endpoints. Organizations should also audit their activity logs to identify any unexpected or malicious commands being executed.
Following these steps is crucial for avoiding future threats and mitigating existing ones. This is also another reason why we utilize Nutanix as our go to when it comes to server hardware and software. Nutanix is the future of your infrastructure because it’s hardened at the factory, used by the DOD(due to its security), and very easy to update with one click updates.