The Cybersecurity and Infrastructure Security Agency (CISA) alerted critical infrastructure entities and other organizations of a security vulnerability on VMware vCenter Server that was recently patched. CISA has now reported that VMware has confirmed reports that the vulnerability is being exploited in the wild. To reduce their risk exposure, these firms have been advised to upgrade to a fixed version of the product as quickly as possible, and apply the temporary workaround provided by VMware, if unable to upgrade to a fixed version immediately.
The affected product versions include the vCenter Server 6.5, 6.7, and 7.0. Earlier last week, VMware disclosed that its vCenter Server had been affected by an arbitrary file upload vulnerability in the Analytics service. A malicious cyber hacker with network access to port 443 can exploit this vulnerability to execute code on vCenter Server, CISA said.
Tracked as CVE-2021-22005, the file upload vulnerability can be used to execute commands and software on the vCenter Server Appliance. The vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server, VMware said in an FAQ.
VMware also pointed out other issues that have lower CVSS scores, but still may be useful to an attacker that is already inside the organization’s network. “One of the biggest problems facing IT today is that attackers often compromise a desktop and/or user account on the corporate network, and then patiently & quietly use that to break into other systems over long periods of time. They steal confidential data, intellectual property, and at the end install ransomware and extort payments from their victims. Less urgent security vulnerabilities can still be potential tools in the hands of attackers, so VMware always recommends patching to remove them,” it added.
“Critical security advisories are always difficult conversations, and unfortunately part of the landscape in IT. We at VMware are always looking at what we need to do to our products to keep these advisories as uncommon occurrences, so we can go back to talking about all the positive security that vSphere offers,” Bob Plankers, technical marketing at VMware, wrote in a blog post.
A remote code execution (RCE) vulnerability is one where an attacker can reach the affected software over the network, such as the vCenter Server, can execute commands on it and bypass the security controls in place. This leaves perimeter firewall controls, and vCenter Server VAMI firewall controls, as the last line of defense against this issue until it is remediated.
Organizations who have placed their vCenter Servers on networks that are directly accessible from the Internet may not have that line of defense and should audit their systems for compromise, VMware said. They should also take steps to implement more perimeter security controls such as firewalls and access control lists (ACLs) on the management interfaces of their infrastructure.
Organizations with perimeter security controls on their virtualization infrastructure management interfaces may still be in jeopardy, VMware pointed out. Ransomware attacks have demonstrated that they can compromise corporate networks, while remaining extremely patient, waiting for a new vulnerability to attack from inside a network.
“Organizations may want to consider additional security controls and isolation between their IT infrastructure and other corporate networks as part of an effort to implement modern zero-trust security strategies,” VMware added. This method of cyberattack was played out recently in the DarkSide ransomware that led to the compromise of the Colonial Pipeline networks, which led the company to take certain systems offline to contain the threat. Colonial had a temporary halt of all pipeline operations with some of its IT systems also affected, and currently in the process of restoring.
American security agencies have also cautioned against reports of increased Conti ransomware attacks with over 400 attacks on U.S. and international organizations attempting to steal files, encrypt servers and workstations, and demanding a ransom payment to return stolen sensitive data.
The CISA also released last week a De-Escalation Series for critical infrastructure owners and operators as guideposts in case someone is on a path to violence, assess if the situation or person of concern is escalating, or if an emergency response is needed immediately. It also deals with how to de-escalate the situation currently taking place through purposeful actions, verbal communication, and body language. In addition, the security agency set down guidelines on how to report the situation through organizational reporting to enable assessment and management of an evolving threat, and 9-1-1 for immediate threats.
These indicators are meant to identify activities and behaviors that may be concerning or indicative of impending violence. Some of these activities while concerning, may be constitutionally protected and should be reported only when there are sufficient facts to support a rational conclusion that the behavior represents a potential threat of violence, according to the agency.
The CISA and the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) also identified last week nine categories of recommended cybersecurity practices and used these categories as the foundation for preliminary control system cybersecurity performance goals.