{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-052.pdf"
    },
    "title": "UPDATE: Critical Vulnerabilities in VMware Products",
    "serial_number": "2021-052",
    "publish_date": "22-09-2021 12:59:00",
    "description": "On Tuesday, September 21, 2021, VMware has released VMSA-2021-0020 advisory to address multiple vulnerabilities in vCenter Server and Cloud Foundation appliances that a remote attacker could exploit to take control of an affected system. The most urgent and critical is a file upload vulnerability CVE-2021-22005 that can be used to execute commands and software on the vCenter Server Appliance.<br>On Tuesday, September 24, 2021 VMware updated the advisory VMSA-2021-0020.1 and confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code.",
    "url_title": "2021-052",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0VMware\u00a0Products'\nversion: '1.1'\nnumber: '2021-052'\ndate: 'September 28, 2021'\n---\n\n_History:_\n\n* _22/09/2021 --- v1.0 -- Initial publication_\n* _28/09/2021 --- v1.1 -- Update with information about the active exploitation_\n\n# Summary\n\nOn Tuesday, September 21, 2021, VMware has released VMSA-2021-0020 advisory [1] to address multiple vulnerabilities in vCenter Server and Cloud Foundation appliances that a remote attacker could exploit to take control of an affected system. The most urgent and critical is a file upload vulnerability **CVE-2021-22005** that can be used to execute commands and software on the vCenter Server Appliance [2].\n\nOn Tuesday, September 24, 2021 VMware updated the advisory VMSA-2021-0020.1 and confirmed reports that **CVE-2021-22005 is being exploited** in the wild [1]. Security researchers are also reporting **mass scanning** for vulnerable vCenter Servers and publicly available exploit code [5, 6, 7].\n\n# Technical Details\n\nA malicious actor with network access to port 443 on vCenter Server may exploit  **CVE-2021-22005 (CVSSv3 base score of 9.8)** vulnerability to execute code on vCenter Server by uploading a specially crafted file, **regardless of the configuration settings of vCenter Server** [1, 2].\n\n# Affected Products\n\nThe **CVE-2021-22005** vulnerability impacts following versions [4]:\n\n- VMware vCenter Server 6.7\n- VMware vCenter Server 7.0\n\nThis issue (CVE-2021-22005) does not affect vCenter Server 6.5 [1].\n\n# Recommendations\n\nVMware recommends affected customers to install relevant updates as soon as possible.\n\n## Workarounds\n\nVMware also provides a workaround for those who cannot immediately patch their appliances as a temporary solution [3].\n\n# References\n\n[1] <https://www.vmware.com/security/advisories/VMSA-2021-0020.html>\n\n[2] <https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>\n\n[3] <https://kb.vmware.com/s/article/85717>\n\n[4] <https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-bug-in-default-vcenter-server-installs/>\n\n[5] <https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active>\n\n[6] <https://twitter.com/bad_packets/status/1441465508348317702>\n\n[7] <https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-vmware-vcenter-cve-2021-22005-bug/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>22/09/2021 --- v1.0 -- Initial publication</em></li><li><em>28/09/2021 --- v1.1 -- Update with information about the active exploitation</em></li></ul><h2 id=\"summary\">Summary</h2><p>On Tuesday, September 21, 2021, VMware has released VMSA-2021-0020 advisory [1] to address multiple vulnerabilities in vCenter Server and Cloud Foundation appliances that a remote attacker could exploit to take control of an affected system. The most urgent and critical is a file upload vulnerability <strong>CVE-2021-22005</strong> that can be used to execute commands and software on the vCenter Server Appliance [2].</p><p>On Tuesday, September 24, 2021 VMware updated the advisory VMSA-2021-0020.1 and confirmed reports that <strong>CVE-2021-22005 is being exploited</strong> in the wild [1]. Security researchers are also reporting <strong>mass scanning</strong> for vulnerable vCenter Servers and publicly available exploit code [5, 6, 7].</p><h2 id=\"technical-details\">Technical Details</h2><p>A malicious actor with network access to port 443 on vCenter Server may exploit <strong>CVE-2021-22005 (CVSSv3 base score of 9.8)</strong> vulnerability to execute code on vCenter Server by uploading a specially crafted file, <strong>regardless of the configuration settings of vCenter Server</strong> [1, 2].</p><h2 id=\"affected-products\">Affected Products</h2><p>The <strong>CVE-2021-22005</strong> vulnerability impacts following versions [4]:</p><ul><li>VMware vCenter Server 6.7</li><li>VMware vCenter Server 7.0</li></ul><p>This issue (CVE-2021-22005) does not affect vCenter Server 6.5 [1].</p><h2 id=\"recommendations\">Recommendations</h2><p>VMware recommends affected customers to install relevant updates as soon as possible.</p><h3 id=\"workarounds\">Workarounds</h3><p>VMware also provides a workaround for those who cannot immediately patch their appliances as a temporary solution [3].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.vmware.com/security/advisories/VMSA-2021-0020.html\">https://www.vmware.com/security/advisories/VMSA-2021-0020.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html\">https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://kb.vmware.com/s/article/85717\">https://kb.vmware.com/s/article/85717</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-bug-in-default-vcenter-server-installs/\">https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-bug-in-default-vcenter-server-installs/</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active\">https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/bad_packets/status/1441465508348317702\">https://twitter.com/bad_packets/status/1441465508348317702</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-vmware-vcenter-cve-2021-22005-bug/\">https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-vmware-vcenter-cve-2021-22005-bug/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}