CVE-2021-21975, CVE-2021-21983: Chained Vulnerabilities in VMware vRealize Operations Could Lead to Unauthenticated Remote Code Execution
VMware has addressed a pair of vulnerabilities in vRealize Operations that, when chained together, could result in unauthenticated remote code execution in vulnerable servers.
Background
On March 30, VMware released a security advisory (VMSA-2021-0004) to address two vulnerabilities in vRealize Operations, an AI-powered IT operations management platform for multi-cloud, private and hybrid environments.
| CVE | Vulnerability Type | CVSSv3 |
|---|---|---|
| CVE-2021-21975 | Server-Side Request Forgery | 8.6 |
| CVE-2021-21983 | Arbitrary File Write Vulnerability | 7.2 |
These vulnerabilities affect vRealize Operations, and also impact VMware Cloud Foundation (vROps) and vRealize Suite Lifecycle Manager (vROps). VMware has attributed the responsible disclosure of both of these vulnerabilities to Egor Dimitrenko, a security researcher at Positive Technologies.
These were not the first VMware-related vulnerabilities to be disclosed by researchers at Positive Technologies in 2021. On February 23, VMware released a security advisory (VMSA-2021-0002) addressing a number of vulnerabilities in VMware vCenter Server. Included in this advisory was CVE-2021-21972, a critical remote code execution (RCE) vulnerability scoring a CVSSv3 score of 9.8. The RCE flaw was discovered and disclosed by Mikhail Klyuchnikov, a security researcher from Positive Technologies.
Analysis
CVE-2021-21975 is a Server-Side Request Forgery (SSRF) vulnerability in the vRealize Operations API Manager that could allow a remote, unauthenticated attacker to steal administrative passwords. VMware assigned the vulnerability an “Important” severity rating with a CVSSv3 score of 8.6.
CVE-2021-21983 is an arbitrary file write vulnerability in the vRealize Operations API Manager that could allow an authenticated remote attacker to write files (potentially malicious in nature) to arbitrary locations on VMware’s underlying operating system (OS), Photon OS. While exploiting this vulnerability on its own would require authentication, the attacker can bypass this requirement by chaining CVE-2021-21975.
On March 30, Positive Technologies published a tweet highlighting the vulnerabilities discovered by Dimitrenko. The tweet disclosed a further risk to unpatched systems in which attackers could achieve unauthenticated RCE on vulnerable systems by chaining both CVE-2021-21975 and CVE-2021-21983 together. No details have been shared publicly as to how this can be achieved, but we anticipate researchers or threat actors to develop a proof-of-concept (PoC) exploit in the near future.
VMware fixed CVE-2021-21975 and CVE-2021-21983, which when chained together lead to an unauth RCE in vRealize Operations.
— PT SWARM (@ptswarm) March 30, 2021
The vulnerabilities were found by our researcher Egor Dimitrenko.
Advisory: https://t.co/WbQwWyCuhS pic.twitter.com/qzEcBqJAg3
Proof of concept
At the time this blog post was published, there were no PoC exploits available for either vulnerability, or a combination of the two.
Solution
On March 30, VMware released the following updates for vRealize Operations to address CVE-2021-21975 and CVE-2021-21983:
| Affected Product | Vulnerable Version | Fixed Version | KB Article |
|---|---|---|---|
| vRealize Operations Manager | 8.3.0 | vROps-8.3.0-HF3 | KB83210 |
| vRealize Operations Manager | 8.2.0 | vROps-8.2.0-HF4 | KB83095 |
| vRealize Operations Manager | 8.1.1, 8.1.0 | vROps-8.1.1-HF6 | KB83094 |
| vRealize Operations Manager | 8.0.1, 8.0.0 | vROps-8.0.1-HF7 | KB83093 |
| vRealize Operations Manager | 7.5.0 | vROps-7.5.0-HF14 | KB82367 |
If upgrading is not feasible at this time, VMware has provided workaround instructions for CVE-2021-21975 and CVE-2021-21983 that involve modifying the casa-security-context.xml file and restarting the Cluster Analytic (CaSA) service. The patching and workaround steps are linked in the corresponding KB articles in the table above.
Please note that this should only be used as a temporary workaround until upgrading is feasible.
Patches have also been released for VMware Cloud Foundation (vROps) versions 3.x and 4.x as well as vRealize Suite Lifecycle Manager (vROps) 8.x. Information on the patch can be found in the support article KB83260.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
- VMware Security Advisory (VMSA-2021-0004)
- vRealize Operations 8.3 Security Patch (83210)
- vRealize Operations 8.2 Security Patch (83095)
- vRealize Operations 8.1.1 Security Patch (83094)
- vRealize Operations 8.0.1 Security Patch (83093)
- vRealize Operations 7.5 Security Patch (82367)
- VMware vRealize Operations security patches (83260)
- CVE-2021-21972: VMware vCenter Server Remote Code Execution Vulnerability
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
September 26, 2024Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.
Secure Your Sprawling Attack Surface With Risk-based Vulnerability Management
August 27, 2024The cloud, artificial intelligence (AI), machine learning and other technological breakthroughs are radically changing the modern work environment. New assets and services offer increased flexibility, growth potential and access to more resources. However, they also introduce new security risks. Managing vulnerabilities across this ever-expanding threat landscape requires a risk-based approach beyond point solutions and reactive patch management.
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
September 26, 2024Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.
Establishing a Cloud Security Program: Best Practices and Lessons Learned
September 26, 2024As we’ve developed Tenable’s cloud security program, we in the Infosec team have asked many questions and faced interesting challenges. Along the way, we’ve learned valuable lessons and incorporated key best practices. In this blog, we’ll discuss how we’ve approached implementing our cloud security program using Tenable Cloud Security, and share recommendations that you may find helpful.
- Vulnerability Management