THREAT ACTORS LEVERAGING EXPLOITS SEEN IN WILD SINCE DECEMBER
CVE-2021-39144 – VMware Cloud Foundation XStream Remote Code Execution Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) has added another VMware vulnerability (CVE-2021-39144) to their growing list of vulnerabilities that they have observed threat actors exploiting in the wild. Exploitation only requires network access to the NSX-v Manager appliance, and successful exploitation will give root privileges (full control) of the NSX-v Manager. This exploit is lower complexity with available POC code, and vulnerable systems only need to be network accessible to any compromised machines, or web accessible, with no additional requirements such as valid credentials.
All versions of VMware NSX Data Center for vSphere (NSX-v) Manager 6.4.14 are affected by the vulnerability. Because these are observed being actively exploited, it is important to ensure that relevant VMware products are fully patched. Additional information is available in the VMware article linked below. Proof of concept (POC) code is currently available, giving both security professionals and threat actors easy methods to find vulnerable systems. The NIST link below has references to available exploit code.
- If leveraging VMware Cloud Foundation, ensure that it is fully patched.
- Proper documentation of critical and sensitive infrastructure products to quickly identify potentially vulnerable systems.
- Network segmentation and limited accessibility to VMware/critical infrastructure should be enforced and periodically reviewed.
The information provided in this article is provided “as-is”. It is not finally evaluated intelligence and should be considered raw information that is provided for strictly situational awareness, given what is known at this time.