Governance & Risk Management , IT Risk Management , Patch Management

VMware Patches 2 Flaws in vRealize Operations

If Exploited, Flaws Could Open Door to Theft of Admin Credentials
VMware Patches 2 Flaws in vRealize Operations

VMware has issued patches for two critical vulnerabilities in its IT operations management platform, vRealize Operations, which, if exploited, could allow attackers to steal administrative credentials.

See Also: What's the answer to the vulnerability overload problem? Key findings from ESG's Cyber Risk Management survey

The platform is designed to offer self-driving IT operations management for private, hybrid and multi-cloud environments in a unified platform powered by artificial intelligence.

VMware issued patches on Tuesday for the flaws CVE-2021-21975, which has a CVSS ranking of 8.6, and CVE-2021-21983, which has a CVSSv3 base score of 7.2.

Egor Dimitrenko of Positive Technologies discovered these vulnerabilities and reported them to VMware.

If the two vulnerabilities are chained together, they could enable an attacker to conduct remote code execution in vRealize Operations, Positive Technologies reports.

VMWare did not respond to a request for comment.

Lewis Jones, threat intelligence analyst at Talion, says the successful exploit of these vulnerabilities could enable the theft of administrative credentials via remote access.

"Users of VMware are advised to apply the security updates swiftly, but VMware has provided a workaround for users unable to do so," Jones says. "To work around this issue, you will have to remove a configuration line from the casa-security-context.xml file and restart the CaSA service on the affected device."

Exploit Risk

The vulnerability tracked as CVE-2021-21975 in the vRealize Operations Manager API contains a Server Side Request Forgery. That means an attacker could abuse the functionality of a server, causing it to access or manipulate information that would otherwise not be directly accessible to the attacker.

Satnam Narang, staff research engineer at the security firm Tenable, says an unauthenticated remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable vROps Manager API endpoint.

The other flaw, CVE-2021-21983, is an arbitrary file write vulnerability in the VROps Manager API that could be exploited to write files to the underlying operating system.

"This vulnerability is post-authentication, meaning an attacker needs to be authenticated with administrative credentials in order to exploit this flaw," Narang says. “If attackers chain both CVE-2021-21975 and CVE-2021-21983 together, they could also gain remote code execution privileges.”

VMware has provided patches for both flaws across vROps Manager versions 7.5.0 through 8.3.0.

Other VMware Issues

Earlier in March, VMware issued patches for a critical vulnerability in its virtual desktop deployment platform, View Planner. The vulnerability, CVE-2021-21978, was caused by improper input validation and lack of authorization, resulting in arbitrary file upload in VMware's View Planner web application (see: VMware Patches Vulnerability on View Planner).

In February, Positive Technologies noted that more than 6,000 VMware vCenter devices worldwide were susceptible to a critical remote code execution vulnerability. VMware issued recommendations for patching the flaw (see: 6,000 VMware vCenter Devices Vulnerable to Remote Attacks).

In December 2020, the U.S. National Security Agency warned that Russian state-sponsored threat actors were attempting to exploit a vulnerability in several VMware products (see: NSA: Russian Hackers Exploiting VMware Vulnerability).


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.