VMware vROps Flaws Can Provide ‘Unlimited Opportunities’ in Attacks on Companies
A couple of serious vulnerabilities patched recently by VMware in its vRealize Operations (vROps) product can pose a significant risk to organizations, according to a researcher involved in the discovery of the security bugs.
The vROps IT operations management product, specifically the vRealize Operations Manager API, is affected by a server-side request forgery (SSRF) vulnerability tracked as CVE-2021-21975, and an arbitrary file write issue tracked as CVE-2021-21983.
According to VMware, the SSRF flaw can allow an attacker with network access to the API to obtain administrative credentials. The second vulnerability allows an authenticated attacker to write files to arbitrary locations on the underlying Photon operating system.
VMware has credited Egor Dimitrenko, a researcher at cybersecurity firm Positive Technologies, for finding the vulnerabilities. Dimitrenko told SecurityWeek that an attacker can chain the vulnerabilities to remotely execute arbitrary code on a server.
The expert warned that in a real-world attack, the vulnerabilities can give threat actors “unlimited opportunities to carry out further attacks on a company’s infrastructure.”
VMware has patched the vulnerabilities in all impacted versions of vRealize Operation Manager, as well as in Cloud Foundation and vRealize Suite Lifecycle Manager. Based on their CVSS score, the vulnerabilities should have a severity rating of “high,” but the virtualization giant’s advisory lists them as “critical.”
It’s important that organizations using vROps patch these vulnerabilities as soon as possible as they could end up being exploited for malicious purposes.
In February, hackers started to scan the internet for VMware vCenter servers affected by a critical vulnerability that was also discovered by researchers at Positive Technologies. The scanning began just one day after VMware announced the availability of patches. However, in that case, PoC exploit code was quickly made available and it had been known that thousands of potentially vulnerable servers were directly accessible from the internet.