Proof-of-concept exploit code is now available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances.
The flaw (CVE-2021-39144) is in the XStream open-source library used by the two VMware products and was assigned an almost maximum CVSSv3 base score of 9.8/10 by VMware.
Unauthenticated threat actors can exploit it remotely in low-complexity attacks that will not require user interaction.
VMware released security updates to address the CVE-2021-39144 flaw reported by Sina Kheirkhah of MDSec and Steven Seeley of Source Incite on Tuesday.
Additionally, because of the severity of the issue, the company also provided patches for some end-of-life products.
The same day, Kheirkhah also published proof-of-concept (PoC) exploit code and a technical analysis of the vulnerability on Seeley’s blog.
“An attacker can send a specially crafted XStream marshalled payload with a dynamic proxy and trigger remote code execution in the context of root,” the security researcher explained.
Workaround also available
VMware has also shared a temporary solution for admins who cannot immediately deploy security updates to patch their appliances.
According to the steps detailed in a separate support document, admins must log into each SDDC manager Virtual Machine in their Cloud Foundation environment via SSH and sudo to the root account.
Next, they have to upgrade the XStream library to version 1.4.19 by applying an NSX for vSphere (NSX-V) hot patch to remove the attack vector.
However, unlike applying the CVE-2021-39144 security updates released Tuesday, the workaround will require admins to go through this procedure each time “a new VI workload domain is created.”
In August, VMware warned customers of another public PoC exploit targeting a critical authentication bypass security flaw (CVE-2022-31656) in multiple VMware products, allowing attackers to gain admin privileges on unpatched appliances.
VMware also informed customers who updated to vCenter Server 8.0 (the latest version) this month that they’ll have to wait for a patch to address a privilege escalation vulnerability the company disclosed almost a year ago, in November 2021.