A full exploit of the remote code execution vulnerability in VMware vCenter tracked as CVE-2021-22005 is now widespread and is being exploited by threat actors.
Unlike the version that was released late last week, this variant can be used to open a reverse shell on a vulnerable system, which allows attackers to execute code of their choice.
The vulnerability does not require authentication and allows an attacker to upload a file to the vCenter Server analytics service.
Fully functional exploit ready
On Monday, exploit writer wvu published an unedited exploit for CVE-2021-22005 that works against endpoints with the Customer Experience Improvement Program (CEIP) component enabled, which is the default state.
However, VMware describes the vulnerability as exploitable “by anyone who can access vCenter Server over the network for access regardless of the configuration settings of vCenter Server”.
In a technical analysis unlocked this week, wvu explains what their code does at each step, starting with a request that creates the directory needed to traverse the path and schedules a reverse shell to spawn.
The researcher notes that while the exploit generates multiple files, the attack is not logged by typical solutions and recommends using the Exam frameworkthat collects data on security-related and non-security-related events.
The VMware recommendation states that CVE-2021-22005 can be exploited “by anyone who can reach vCenter Server over the network”.
Prioritize the installation of the patch
VMware announced CVE-2021-22005 on September 21 with a critical severity rating of 9.8 out of 10 and a strong recommendation for organizations to consider “an emergency change” in accordance with ITIL best practices for managing IT services and to patch “as soon as possible”. “
In an advisory on Friday, CISA also asked organizations of critical infrastructures with vulnerable vCenter servers to prioritize the updating of the machines or the temporary ones Workaround from VMware.
Four days later, the first proof-of-concept exploit code became available. Although it was inactive in its original state, the code could easily be used as a weapon to achieve remote code execution, and attacks began shortly after its release.
After analyzing the incomplete code, CERT / CC vulnerability analyst Will Dormann noticed that “the missing part of this PoC keeps screenwriting kiddies away, but not a determined actor,” added that a full exploit was soon to emerge.
Threat actors showed an early interest in this vulnerability, just hours after VMware announced it, and they quickly created a working exploit from the incomplete code, the security researcher Yerk was released last week along with some tech notes.
With a fully functional exploit now available, the number of attacks is expected to increase as less experienced actors can become involved. One of the biggest risks a business faces is falling victim to a ransomware attack, warns VMware.