VMware this week issued updates addressing a critical vulnerability that impacts VMware Cloud Foundation. Shortly after the update was released, exploit code leveraging the flaw against the impacted products was published.
The remote code execution bug (CVE-2021-39144) specifically exists in XStream, an open source library used for object serialization, and it was initially patched in Aug. 22, 2021. However, XStream is used in VMware Cloud Foundation for input serialization, leaving several versions of the cloud platform vulnerable to the flaw.
“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance,” said VMware in a security advisory this week.
VMware Cloud Foundation versions prior to 3.9.1 are impacted; and an update to VMware Cloud Foundation 3.11.0.1 fixes the issue. VMware Cloud Foundation versions 4.x are not impacted. VMware also said patches are available for end-of-life products, though it has typically not mentioned end-of-life products on its previous security advisories.
That’s due to the critical severity of the vulnerability, which has a CVSSv3 base score of 9.8 out of 10. At the same time, in an analysis earlier this week researchers with Source Incite detailed their findings and included proof-of-concept exploit code that could be used to achieve a reverse shell on vulnerable VMware Cloud Foundation instances.
“While no specific details about CVE-2021-39144 were made public by VMware, the fact that they highlighted the attack vector as a ‘unauthenticated endpoint [...] in VMware Cloud Foundation (NSX-V)’ coupled with the decision to release a patch for an end-of-life product, suggests that exploitation of this flaw is straightforward,” said Satnam Narang, staff research engineer for the Security Response team at Tenable, in an analysis of the flaw.
In addition to CVE-2021-39144, VMware also patched a moderate-severity XML External Entity flaw in VMware Cloud Foundation, which it said could lead to information disclosure or be exploited by an unauthenticated user to launch a denial-of-service condition. Sina Kheirkhah and Steven Seeley of Source Incite were credited with discovering both flaws.
Vulnerabilities in VMware products have previously been exploited by threat actors, including a remote code execution flaw (CVE-2022-22954) in VMware’s identity management service in April. More recently, in August, VMware released patches for a critical-severity authentication bypass vulnerability, which if exploited could allow a remote attacker with network access to a vulnerable user interface to skip authentication and obtain administrative privileges.