Preface: Rapid7 Labs estimates there are over 2,700 vulnerable vCenter servers exposed to the public internet.
Background: As of May 1 2020, the Pivotal Telemetry program is governed by VMware’s Customer Experience Improvement Program.
Data and continuous feedback loops play an important role in shaping the way Pivotal builds software.
VMware analytics service consists of components that gather and upload telemetry data from various vSphere components to the VMware Analytics Cloud and manage the Customer Experience Improvement Program (CEIP).
Vulnerability details: CVE-2021-22005 (CVSS score of 9.8) – It is an arbitrary file upload vulnerability in the Analytics service, which can be used to execute commands and software on the vCenter Server Appliance. A malicious actor with network access to port 443 on vCenter Server could exploit it by uploading a specially crafted file.
Observation: Since it can upload telemetry data by analytics service. So, attacker might do the following:
Unauthenticated OVA File Upload RCE – Exploits an unauthenticated OVA file upload and path traversal in vCenter Server to write a JSP payload to a web-accessible directory.
Official announcement – VMware has disclosed a critical bug in its flagship vSphere and vCenter products and urged users to drop everything and patch it. The virtualization giant also offered a workaround. For more details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2021-0020.html