Administrators are advised to patch their VMware servers as soon as possible, after a proof of concept for a critical remote code execution (RCE) vulnerability that requires no authentication to exploit was released.
Positive Technologies security researcher Mikhail Klyuchnikov reported the RCE vulnerability to VMware in October last year, but kept details of the flaw under wraps.
However, a Chinese security vendor, Noah Lab, published a proof of concept for vCenter RCE today.
Mass scans for the vulnerability are currently taking place, security vendor Bad Packets said.
We've detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).— Bad Packets (@bad_packets) February 24, 2021
Query our API for "tags=CVE-2021-21972" for relevant indicators and source IP addresses. #threatintel https://t.co/AcSZ40U5Gp
Klyuchnikov said the RCE vulnerability is due to attackers being able to upload unauthorised files such as Java Server Pages scripts to VMware servers, enabling the execution of arbitrary commands with elevated privileges.
As a result, "a malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server," VMware said in its security advisory this week.
VMware has released patches for the RCE which is rated as critical with a 9.8 out of 10 score.
A second RCE vulnerability in the OpenSLP (Server Location Protocol), rated as important with a score of 8.8, was also patched by VMware, along with five bugs deemed moderately severe.
VMware said its ESXi, the vSphere Client for Center Server and Cloud Foundation products are vulnerable to the above flaws.
A scan of the internet by iTnews using the Shodan search engine found 112 potentially vulnerable vCenter systems in Australia, and 13 in New Zealand.
Around the world, Shodan found 6575 systems, most of them being located on United States networks.