Positive Technologies discovered a vulnerability in VMware vCenter/vSphere that allows an unauthenticated attacker to remotely execute code on the VMware hypervisor (CVE-2021-21972). The vulnerability was first reported to the vendor on October 2 2020, and a patch was released by VMware on February 23 2021.
Is a weaponized exploit available yet?
Proof of concept code has indeed been released to GitHub shortly after the patch was released allowing any attacker with access to the code the ability to take advantage of the vulnerability.
How Bad is This?
Bad. Any threat actor who can reach port 443 on your vCenter server can completely compromise the device, the data, and any VMs it contains.
Several exploits are now public – you should expect that these will be used immediately to facilitate attacks. Scanning for vulnerable systems has been seen:
We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).
— Bad Packets (@bad_packets) February 24, 2021
What Should I Do?
Make sure no vCenter assets are directly exposed to the internet; if they are, sever that access and triage those hosts for indications of compromise. If not directly exposed to the internet, prioritize patching quickly because a locally networked device could be used to exploit internal hosts. It only takes one phishing email for an actor to breach the perimeter.
Your options are ordered from most complete in remediation, to more temporary measures:
Apply the patch according to your version.
Employ a workaround to disable the vulnerable location on the server. Here are instructions on how to do that, from VMware’s knowledge base: https://kb.vmware.com/s/article/82374
Use network firewalls to restrict access on port 443 to trusted hosts only.
How to Detect
Watch for unusual access to vCenter hosts on port 443; if possible, target requests for the URI paths:
For further technical details, see: