On September 21, 2021, VMWare published an advisory for several vulnerabilities. This included, most notably, CVE-2021-22005, which affects their vCenter Server product. This vulnerability is an arbitrary file upload vulnerability that can lead to remote code execution (RCE) via upload of a specially crafted file. This works regardless of the configuration settings of vCenter Server.
Due to the severity of this vulnerability, VMWare published workaround instructions detailing how to manually or automatically patch the affected products. The automated patching script (available in the right-hand panel in the link above) includes logic to validate if your product is vulnerable to CVE-2021-22005, as well as confirm the patch has worked as expected.
As of September 23, 2021, there is no known publicly available proof-of-concept (PoC) code for the CVE that enables arbitrary file upload or RCE. However, GreyNoise is observing a significant number of checks for vulnerable instances of vCenter Server based off of the automated patching script provided by VMWare, most of these egressing via Tor.
The following tags have been released to enable monitoring of relevant activity:
- VMWare VCSA File Upload Check: The vulnerability check tag for CVE-2021-22005 matches on actively utilized variations based off of VMWare’s patching script, typically sending invalid JSON or an empty JSON object to vulnerable endpoints. [View In GreyNoise]
- VMWare VCSA File Upload Attempt: The vulnerability attempt tag for CVE-2021-22005 matches on activity to vulnerable endpoints containing valid, parsable, or non-empty payloads. [View In GreyNoise]
Editor's Note: If either of these tags return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.