VMware Issues Patch for 2 Severe Flaws Posing Credential Theft Risk

VMware issued a software update for its vRealize Operations, Cloud Foundation, and Lifecycle Manage to address two severe flaws that could allow an attacker to steal admin credentials and manipulate or access device information.

The affected technologies are found in VMware’s AI-powered IT management platform, which provides self-driving operations for private, hybrid, and multi-cloud environments.

CVE-2021-21975 has been issued a severity rank of 8.5, and CVE-2021-21983 was issued a severity score of 7.2. Both vulnerabilities were privately reported to VMware by researcher Egor Dimitenko of security firm Positive Technologies.

The first flaw is a server side request forgery (SSRF) within the vRealize Operations API Manager that could provide a hacker who’s already gained network access the ability to gain a foothold onto the platform’s API to perform a cyberattack to gain administrative credentials.

The second vulnerability is an arbitrary file flaw found in the same platform. An attacker with network access could exploit the flaw to write files to arbitrary locations within the photon operating system. 

The concern is that if the flaws are chained together during an attack, a threat actor could perform remote code execution in the impacted platforms.

“Chaining together both vulnerabilities enables a malicious actor to perform remote code execution in the context of the logged-on user,” according to the Center for Internet Security. “Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” 

“Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” they added. “A prerequisite of exploiting these vulnerabilities is that the malicious actor must have network access to the vRealize Operations Manager API.”

Hackers have increasingly leveraged chained vulnerabilities in their attack methods, as first reported by the FBI and CISA in mid-Fall 2020. At the time, the agencies warned that advanced persistent threat (APT) actors were targeting critical infrastructure and government networks using the attack method.

CISA reportedly observed several successful attacks accomplished by chaining flaws, which led to unauthorized access on elections support systems. Previous chaining attacks were seen exploiting multiple legacy flaws combined with the Windows Netlogon vulnerability, CVE-2020-1472.

Most recently, hackers have been exploiting four zero-day flaws found in Microsoft Exchange servers. At least 10 APT hacking groups are chaining the vulnerabilities together for greater impact, including an SSRF, as seen with theVMware disclosure.

To Joe Dibley, a security researcher for Stealbits/Netrix, the VMware flaws provide another example of the rise in chaining vulnerabilities.

“Bad actors have shifted focus from low privilege compromise attacks to targets that expose privilege escalation to now going directly for control systems with higher privileges, especially systems which are often used by large enterprises,” Dibley explained, in an email.

“While these vulnerabilities are serious, VMware has released patches as well as a very simple workaround which can be applied instantly until patching can be performed,” he added.

Vmware is urging entities to apply the provided software update to prevent an exploit. If a patch cannot be immediately applied, administrators should takes steps to prevent falling victim to an attack. The provided mitigation will not negatively impact the function of the device.

Administrators can simply remove a configuration line within all nodes of the impacted device, as directed by VMware.

CIS also provided mitigation recommendations, which include running all software as a non-privilefed user to diminish the impact of a successful exploit. Administrators should also apply the principle of least privilege to all systems and services.

Employees should also be reminded to avoid visiting untrustworthy sites or links from unknown sources and about the threats posed by attachments or email links.

As previously noted by CISA, entities should review the inventory of devices on the enterprise network and patch management processes to find all internet-facing infrastructure -- in light of the heightened targeting against vulnerable endpoints.

Systems should be kept up to date through prompt and routine patching processes, as well as consistent patch management cycles for the entire enterprise network. CISA previously stressed that these processes are the best defense against vulnerability and chaining cyberattacks.

April 01, 2021 - And as repeatedly noted in most vulnerability disclosures, multi-factor authentication should be applied wherever possible and applicable. Microsoft research has determined MFA blocks 99.9 percent of all automated attacks.