Not a drill: VMware vuln with 9.8 severity rating is under attack

Just a reminder that these severity ratings, while often directionally useful (a 9.x probably is something you should care about if you run the target software; a 2.x is <i>probably</i> not), the ratings themselves are total horseshit and are running industry joke; literally a Ouija board, starting from a hopelessly ambiguous &quot;calculator&quot; that you run and then apply subtle inputs to to get the score where you want it to be.

A poc appears to be available there : <a href="https:&#x2F;&#x2F;github.com&#x2F;xnianq&#x2F;cve-2021-21985_exp" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;xnianq&#x2F;cve-2021-21985_exp</a> !<p>P.s. I use yandex to find CVE POC, google is almost useless for that kind of search and yandex almost always deliver working code !

It&#x27;s safe to say that anybody who exposes VCenter directly to the web is practicing poor security. I cannot imagine any scenario where this would be required. I manage a few VxRail&#x2F;vSphere clusters and everything is behind firewalls and VPNs.<p>That said, I understand that this vulnerability basically gives root to anyone with VPN access. In our case, pretty much anyone who has VPN access to the cluster already has root on it anyway.

It can&#x27;t be <i>that</i> bad, since I haven&#x27;t seen a flashy website for this vuln, complete with a logo, making the rounds on social media.

If you don&#x27;t use the vCenter plugins in which the vulnerabilities exist (vSAN Health Check, vROPS Manager), it&#x27;s incredibly easy to mitigate this vulnerability by manually marking these plugins as incompatible: <a href="https:&#x2F;&#x2F;kb.vmware.com&#x2F;s&#x2F;article&#x2F;83829" rel="nofollow">https:&#x2F;&#x2F;kb.vmware.com&#x2F;s&#x2F;article&#x2F;83829</a>

why do people putting their vmware vcenter onto the internet?

Not even the first preauth VSphere RCE this year: <a href="https:&#x2F;&#x2F;cve.mitre.org&#x2F;cgi-bin&#x2F;cvename.cgi?name=CVE-2021-21972" rel="nofollow">https:&#x2F;&#x2F;cve.mitre.org&#x2F;cgi-bin&#x2F;cvename.cgi?name=CVE-2021-2197...</a>

Website in tweet appears to be filled with suspicious malware like contents, beware

9.8 out of 10?<p>What’s the .2 represent?

Dear arstechnica, please don&#x27;t write articles like this, where you make it seem like curl is somehow related or even the cause: &quot;It can be reproduced using five requests from cURL, a command-line tool that transfers data using HTTP, HTTPS, IMAP, and other common Internet protocols.&quot; I find it quite untasteful to somehow sneak an plug for curl in here at all.<p>Thinking of: “I will slaughter you”, where Daniel explains how he gets death threats from clueless sysadmins that see that they have been hacked by someone that used curl.<p><a href="https:&#x2F;&#x2F;daniel.haxx.se&#x2F;blog&#x2F;2021&#x2F;02&#x2F;19&#x2F;i-will-slaughter-you&#x2F;" rel="nofollow">https:&#x2F;&#x2F;daniel.haxx.se&#x2F;blog&#x2F;2021&#x2F;02&#x2F;19&#x2F;i-will-slaughter-you&#x2F;</a><p>Edit: I have e-mailed the author, but someone that use Twitter may want to try and reach the author on @dangoodin001. Thank you.

I worked briefly at VMware. An exploit like this doesn&#x27;t surprise me one bit.<p>We had a company mailing list that people used to email jokes back and forth all the time.<p>One rather ignorant programmer put a rule on his email where he would get an alert whenever anybody emailed him with a particular word in the subject line. That word happened to get into a rather popular email thread, and in the middle of the thread we started getting complaints from him asking us to change the subject line because his pager was beeping off the hook.<p>Career limiting move! He took a lot of heat for making poor assumptions.