VMware Developers Fixed Serious Vulnerability In vSphere Replication

Positive Technologies expert Egor Dimitrenko discovered a high severity vulnerability in VMware vSphere Replication data replication tool. This solution allows creating backups of virtual machines and start them in case of failure of the main virtual machine.

The found error allowed attackers that had access to the VMware vSphere Replication admin web interface to execute arbitrary code on the server with maximum privileges and begin moving inside the network to take control of the corporate infrastructure.

“vSphere Replication contains a post-authentication command injection vulnerability in “Startup Configuration” page. VMware has evaluated this issue to be ‘Important’ severity. A malicious actor with administrative access in vSphere Replication can execute shell commands on the underlying system. Successful exploitation of this issue may allow authenticated admin user to perform a remote code execution”, — say VMware representatives in the official vulnerability notice.

The issue is identified as CVE-2021-21976 and is rated 7.2 out of 10 on the CVSS v3.

According to expert Yegor Dimitrienko, vulnerabilities that allow performing this kind of attack (command injection) are quite common in administration products.

“Typically, such errors are caused by insufficient validation of user input, which subsequently ends up in the context of invoking system commands. Mechanisms for preventing such attacks are usually built into developer tools, protecting against the possibility of making mistakes when writing code. However, there are still anomalies in the code, for example while introducing new functionality or fixing an existing problem with hotfixes”, – explains Yegor Dimitrenko.

To exploit a vulnerability found in a VMware product, an attacker would need credentials that could be obtained through weak passwords or social engineering attacks.

To eliminate the vulnerability, experts advise to follow the recommendations from the official notice from VMware.

Let me remind you that we have already talked about the vulnerabilities in VMware products. For example, we recently reported that Vulnerabilities in VMWare ESXi are exploited to encrypt virtual disks. And even earlier that VMware patches 0-day vulnerability discovered by NSA.