Cloud computing and visualisation software and services provider VMware has patched a serious vulnerability that could have led an attacker to steal admin credentials in vRealize Operations.
In an advisory published on Tuesday, the company stated that “multiple vulnerabilities in VMware vRealize Operations were privately reported to VMware.” In the same announcement, VMware said that patches and workarounds are now available to address these vulnerabilities in impacted products and warned customers that the issues were evaluated to be of “Important” severity.
CVE-2021-21975 would allow a malicious actor with network access to the vRealize Operations Manager API to perform a Server Side Request Forgery attack to steal administrative credentials.
CVE-2021-21983 could allow an authenticated malicious actor with network access to the vRealize Operations Manager API to write files to arbitrary locations on the underlying photon operating system.
Security professionals provided the following advice on these security issues:
Michael Barragry, operations lead at Edgescan:
A prerequisite for these vulnerabilities is network access to the vRealize Operations Manager API. This illustrates how a layered, defense-in-depth strategy can help mitigate unforeseen vulnerabilities – in this case restricting access to the API could make the difference between being exploited or not.
APIs can often prove to be a bit of a blind spot for organisations, as various endpoints are often spun up as part of out-of-the-box deployments. These can be missed, or just forgotten about over time. Maintaining an accurate picture of all exposed infrastructure and services is critical to minimize risk of attack.
Lewis Jones, threat intelligence analyst at Talion:
The successful exploit of these vulnerabilities could allow an attacker remote access without user interaction to steal administrative credentials. This comes just months after Russian hackers reportedly exploited a VMWare bug to plant web shells inside hacked networks and pivot to Microsoft ADFS servers from where they steal sensitive data.
Users of VMware are advised to apply the security updates swiftly but have provided a workaround for users unable to do so. To work around this issue, you will have to remove a configuration line from the casa-security-context.xml file and restart the CaSA service on the affected device.
Vulnerabilities are routinely exploited by threat attackers. Exploitation of vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available. As highlighted by the recent Microsoft Exchange attacks, once a vulnerability is publicly disclosed threat attackers quickly switch attack method to exploit the vulnerability before patches are applied. This emphasizes the importance of swift action by organisations, who should quickly follow the recommended actions and implement the security updates.
Stephen Kapp, CTO and CISO at Cortex Insight:
The highlighted issues within the fixed released by VMWare show the importance of understanding vulnerability interactions and the concept of vulnerability chaining. Understanding vulnerability interactions within an environment are important, in this VMWare instance both issues are rated by VMware as ‘Important’ and both have a ‘High’ banded CVSS rated score. Individually this would be enough for most organisations to have the updates applied quickly, although details are sparse within the released information so gaining an understanding of the issue interactions is key to making an informed decision to prioritise remediation measures.
Two highly rated security issues that interact in a way that could improve the effectiveness of the other inherently increases the severity of the issue and thus warrants a more timely remediation response. But this can be said of lower severity issues, combining issues to improve the effectiveness is nothing new, but so many organisations fail to account for these interactions in their remediation efforts.
