With proofs of concept public, attackers are likely exploiting this vulnerability weeks after patches were released. Three weeks after releasing patches for a critical vulnerability in VMware vCenter, thousands of servers that are reachable from the internet remain vulnerable to attacks. VMware vCenter is used by enterprises to manage virtual machines, the VMware vSphere cloud virtualization solution, ESXi hypervisors, and other virtualized infrastructure components.Remote code execution and authentication bypassOn May 25, VMware published a critical advisory and released patches covering two serious vulnerabilities that stem from the use of VMware vCenter plug-ins. The first vulnerability, tracked as CVE-2021-21985, is caused by improper input validation in the Virtual SAN (vSAN) Health Check plug-in that’s enabled by default in vCenter Server.VMware vSAN is used for storage virtualization, but even if the plug-in is not actively used, the presence of the plug-in on the server is enough to enable attacks. A hacker with access to the server over port 443 (HTTPS) can exploit this issue without authentication to execute commands with unrestricted privileges on the operating system that hosts vCenter Server versions 6.5, 6.7 and 7.0, as well as VMware Cloud Foundation 3.x and 4.x, which include vCenter Server. The second vulnerability, tracked as CVE-2021-21986, is rated as medium severity and impacts the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMware Cloud Director Availability plug-ins. Attackers with access to a server over port 443 can perform actions allowed by the affected plug-ins without authentication. Publicly exposed VMware serversResearchers from security firm Trustwave recently performed a scan using SHODAN and identified 5,271 instances of VMware vCenter Server that are configured to be accessible from the internet. The vast majority of them (5,076) operate over port 443.The researchers managed to connect to 4,969 of those servers and download information from their greeting banner, which includes more details about the specific version of the server such as build number and underlying operating system. The collected information revealed that 4,019, or 80.88%, of the scanned servers had not yet been patched for these flaws and that most of the remaining ones are running much older versions of the software that are considered end-of-life and are likely vulnerable to a variety of older issues. If the ratio of unpatched servers is so high among publicly accessible servers, which are generally easier to attack and should be carefully monitored, it’s fair to assume that many vCenter Servers remain unpatched on private networks. However, attackers have many ways of gaining access to corporate networks, so attacking such servers would not be hard.Proof-of-concept exploits and urgent need to patchSince the patches were released in May, security researchers have developed and published proof-of-concept exploits for these issues, so potential attackers don’t have to spend much effort to start exploiting these issues in the wild. VMware warned users from the start that these vulnerabilities need to be patched as soon as possible and even published manual workarounds that involve editing the compatibility-matrix.xml file to disable the vulnerable plug-ins.“If you ARE a vSAN customer, disabling the vSAN plugin will remove all ability to manage vSAN,” VMware said in a blog post. “No monitoring, no management, no alarms, nothing. This might be fine for your organization for very short periods of time but we at VMware cannot recommend it. Please use caution.”“In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,” the company said. Related content brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe