VMware on Tuesday released security updates to address multiple vulnerabilities in its vCenter Server and Cloud Foundation products, prompting security analysts to warn that active exploits of hybrid cloud environments are just around the corner.
The Cybersecurity and Infrastructure Security Agency (CISA) took note, issuing a release on the event that confirmed the expectation that remote attackers could potentially exploit some of these vulnerabilities to take control of an affected system.
In its advisory, CISA encouraged security teams to review VMware Security Advisory VMSA-2021-0020 and make the necessary updates as soon as possible.
Unfortunately, these type of vulnerabilities in systems management software tools are increasingly common, said Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber. Bar-Dayan added that the VMware vCenter vulnerabilities are just the latest in a growing list that also includes SolarWinds, Open Management Infrastructure (OMI), and Zoho ManageEngine.
“The vulnerabilities are particularly problematic, because of the degree of access and control attackers can gain when exploited,” Bar-Dayan said. “The vast majority of cloud vulnerabilities are caused by cloud misconfigurations and user error. Tools like VMware vCenter are used to automate configuration at scale and are the keys to the kingdom for enterprise hybrid cloud environments. The amount of damage that can be done by bad actors with these tools through intentional user error at massive scale is scary.”
Bar-Dayan added that even when patches become available, they tend to address a single component of what exists as a multi-layered, advanced persistent threat (APT). He recommended applying the patch, but also that security teams should eliminate direct access to vulnerable software from the Internet where possible.
“Organizations need to move quickly to keep APT groups from gaining access to systems management and configuration automation tools,” Bar-Dayan said.
Alec Alvarado, threat intelligence team lead at Digital Shadows, said “the clock is undoubtedly ticking” on yet another critical vulnerability. Alvarado said security teams should expect that threat actors have already started scanning to identify publicly connected vCenter Servers that are vulnerable.
“Gaining access to IT management tooling is similar to gaining access to the control room with many targets to go after or opportunities of attack,” Alvarado said. “Historical events taking advantage of IT management systems are certainly not in the distant past, as we are just a few months out from the REvil Kaseya incident. With such a potentially lucrative vulnerability, affected versions should immediately be patched as the proverbial race has already started, and working exploits are likely around the corner.”