Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2021-21975, CVE-2021-21983: Chained Vulnerabilities in VMware vRealize Operations Could Lead to Unauthenticated Remote Code Execution

VMware has addressed a pair of vulnerabilities in vRealize Operations that, when chained together, could result in unauthenticated remote code execution in vulnerable servers.

Background

On March 30, VMware released a security advisory (VMSA-2021-0004) to address two vulnerabilities in vRealize Operations, an AI-powered IT operations management platform for multi-cloud, private and hybrid environments.

CVEVulnerability TypeCVSSv3
CVE-2021-21975Server-Side Request Forgery8.6
CVE-2021-21983Arbitrary File Write Vulnerability7.2

These vulnerabilities affect vRealize Operations, and also impact VMware Cloud Foundation (vROps) and vRealize Suite Lifecycle Manager (vROps). VMware has attributed the responsible disclosure of both of these vulnerabilities to Egor Dimitrenko, a security researcher at Positive Technologies.

These were not the first VMware-related vulnerabilities to be disclosed by researchers at Positive Technologies in 2021. On February 23, VMware released a security advisory (VMSA-2021-0002) addressing a number of vulnerabilities in VMware vCenter Server. Included in this advisory was CVE-2021-21972, a critical remote code execution (RCE) vulnerability scoring a CVSSv3 score of 9.8. The RCE flaw was discovered and disclosed by Mikhail Klyuchnikov, a security researcher from Positive Technologies.

Analysis

CVE-2021-21975 is a Server-Side Request Forgery (SSRF) vulnerability in the vRealize Operations API Manager that could allow a remote, unauthenticated attacker to steal administrative passwords. VMware assigned the vulnerability an “Important” severity rating with a CVSSv3 score of 8.6.

CVE-2021-21983 is an arbitrary file write vulnerability in the vRealize Operations API Manager that could allow an authenticated remote attacker to write files (potentially malicious in nature) to arbitrary locations on VMware’s underlying operating system (OS), Photon OS. While exploiting this vulnerability on its own would require authentication, the attacker can bypass this requirement by chaining CVE-2021-21975.

On March 30, Positive Technologies published a tweet highlighting the vulnerabilities discovered by Dimitrenko. The tweet disclosed a further risk to unpatched systems in which attackers could achieve unauthenticated RCE on vulnerable systems by chaining both CVE-2021-21975 and CVE-2021-21983 together. No details have been shared publicly as to how this can be achieved, but we anticipate researchers or threat actors to develop a proof-of-concept (PoC) exploit in the near future.

Proof of concept

At the time this blog post was published, there were no PoC exploits available for either vulnerability, or a combination of the two.

Solution

On March 30, VMware released the following updates for vRealize Operations to address CVE-2021-21975 and CVE-2021-21983:

Affected ProductVulnerable VersionFixed VersionKB Article
vRealize Operations Manager8.3.0vROps-8.3.0-HF3KB83210
vRealize Operations Manager8.2.0vROps-8.2.0-HF4KB83095
vRealize Operations Manager8.1.1, 8.1.0vROps-8.1.1-HF6KB83094
vRealize Operations Manager8.0.1, 8.0.0vROps-8.0.1-HF7KB83093
vRealize Operations Manager7.5.0vROps-7.5.0-HF14KB82367

If upgrading is not feasible at this time, VMware has provided workaround instructions for CVE-2021-21975 and CVE-2021-21983 that involve modifying the casa-security-context.xml file and restarting the Cluster Analytic (CaSA) service. The patching and workaround steps are linked in the corresponding KB articles in the table above.

Please note that this should only be used as a temporary workaround until upgrading is feasible.

Patches have also been released for VMware Cloud Foundation (vROps) versions 3.x and 4.x as well as vRealize Suite Lifecycle Manager (vROps) 8.x. Information on the patch can be found in the support article KB83260.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training