VMware fixes bug allowing attackers to steal admin credentials

Posted by & filed under Security Alerts.

VMware has published security updates to address a high severity vulnerability in vRealize Operations that could allow attackers to steal admin credentials after exploiting vulnerable servers.

vRealize Operations is an AI-powered and “self-driving” IT operations management for private, hybrid, and multi-cloud environments, available as an on-premises or SaaS solution.

The vulnerability was discovered and reported to VMware by Positive Technologies web security researcher Egor Dimitrenko.

SSRF exploitable by unauthenticated attackers

The privately reported vulnerability tracked as CVE-2021-21975 is caused by a Server Side Request Forgery bug in the vRealize Operations Manager API.

Attackers can exploit the vulnerability remotely without requiring authentications or user interaction in low complexity attacks to steal administrative credentials.

VMware rated the security flaw as high severity giving it a base score of 8.6 out of 10.

Details on how to get the security patch for vRealize Operations are available in the support articles linked below:

Workaround also available

VMware has also published workaround instructions for admins who don’t want to or can’t immediately patch servers running vulnerable vRealize Operations versions (e.g., there is no patch for their version).

As the company explained, there are is no impact after applying the workaround measures and no functionality will be affected.

To work around this issue, you will have to remove a configuration line from the casa-security-context.xml file and restart the CaSA service on the affected device.

Detailed information on how to do that is available in the support articles linked above for each security patch/version.

VMware today fixed a second high-severity vulnerability in the vRealize Operations Manager API (tracked as CVE-2021-21974) and allowing authenticated attackers to remotely “write files to arbitrary locations on the underlying photon operating system.”

 

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.