19 New VMware Vulnerabilities, One Critical
VMware is a major virtualization and cloud computing software vendor used by organizations of all sizes. This week they released information on 19 new vulnerabilities. One of these is a critical vulnerability that could allow an attack to run any code they want on the vulnerable server. VMware servers are critical infrastructure and if exploited an attacker could have full control over their targets entire network.
A vulnerability was discovered in the design of Microsoft Exchange’s Autodiscover protocol. This is the protocol used to simplify configuration of an Outlook client. Autodiscover allows a user to setup Outlook without knowing all the technical details such as server names and ports. Research group Guardicore Labs was able to use this vulnerability to collect over 300,000 usernames and passwords over a four-month period.
Two major US agriculture cooperatives were targets of ransomware attacks this week. We’ve seen a major increase on attacks on critical infrastructure in 2021, despite multiple ransomware groups claiming they will not attack critical infrastructure. These attacks may have a long lasting impact on the price of food in the US.
Earlier this week, VMware released an advisory with a list of 19 vulnerabilities that affects multiple versions of VMware vCenter Server and VMware Cloud Foundation. We recommend you read the entire advisory and patch relevant systems but wanted to specifically highlight the most severe of these vulnerabilities, CVE-2021-22005, which is rated as a critical vulnerability with a CVSSv3 score of 9.8. This vulnerability is described as an arbitrary file upload vulnerability, but according to the description a malicious actor with access to port 443 on a vulnerable vCenter Server could exploit this issue by crafting a malicious file that would allow them to execute code on the vCenter Server.
VMware has released patches for all the vulnerabilities disclosed and have provided additional workaround guidance specifically for CVE-2021-22005. The workaround involves modifying the file “/etc/vmware-analytics/ph-web.xml” and commenting out several lines. VMware has made this simply by providing a Python script that will make the changes for you, VMSA-2021-0020.py. They also provide some guidelines for making the changes manually. A video of the performing the manual workaround can be found below:
After completing the workaround, run the following command to verify:
curl -X POST "http://localhost:15080/analytics/telemetry/ph/api/hyper/send?_c&_i=test" -d "Test_Workaround" -H "Content-Type: application/json" -v 2>&1 | grep HTTP
If the above command returns a 404 error, then the workaround has been successfully implemented. The workaround is only needed if you are unable to apply the necessary patch immediately.
This is a critical vulnerability and some reports have already come in that threat actors have been observed scanning for this vulnerability, though we have not yet observed any active exploitations in the wild. If you are a Perch customer subscribed to the Emerging Threats Pro community, detection signatures have already been put in place for this and the other VMware vulnerabilities released in this advisory. The CRU has released a couple of signatures specifically for CVE-2021-22005 which have been deployed across all Perch IDS customers:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] VMWare vCenter File Upload RCE (CVE-2021-22005) M1"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/analytics/telemetry/ph/api/hyper/send?"; content:"_i="; distance:0; tag:session,5,packets; reference:url, kb.vmware.com/s/article/85717; classtype:web-application-activity; sid:900432; rev:1; metadata: created_at 2021-09-23, updated_at 2021-09-23, cve CVE_2021_22005, mitre_tactic_id TA0000, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] VMWare VCenter File Upload RCE (CVE-2021-22005) M2"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/analytics/ph/api/dataapp/agent?"; content:"_c="; distance:0; content:"_i="; distance:0; tag:session,5,packets; reference:url, kb.vmware.com/s/article/85717; classtype:web-application-activity; sid:900433; rev:1; metadata: created_at 2021-09-23, updated_at 2021-09-23, cve CVE_2021_22005, mitre_tactic_id TA0000, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Information Disclosure in Exchange Autodiscover Protocol
Microsoft Exchange has been a hot topic throughout all of 2021. It’s been almost three weeks since we’ve had to talk about any new vulnerabilities related to Microsoft Exchange. This week, researchers from Guardicore Labs released a report with information about an information disclosure vulnerability inherent in the design of Microsoft’s Autodiscover protocol. Autodiscover is a protocol designed to make configuration of Outlook clients simpler by allowing an end-user to configure Outlook to connect to an Exchange server by only supplying a username and password.
The information disclosure issue is specifically related to the “back-off” procedure built into the Autodiscover protocol. Say, for example, you have a user configuring an Outlook client with the email address
email@example.com. Outlook will parse the email address and identify the domain name
example.com and then will search for an Autodiscover URL with Exchange configuration information with the following format:
If none of these URLs respond, Autodiscover will continue to “back-off” and attempts to connect to
http://Autodiscover.com/Autodiscover/Autodiscover.xml. This means, if someone controls “Autodiscover.com”, Outlook will send them your username and password. This applies to any top-level-domain (TLD) such as “.com”, “.net”, etc.
According to the Guardicore Labs report, they registered the following domains:
- Autodiscover.com.br – Brazil
- Autodiscover.com.cn – China
- Autodiscover.com.co – Columbia
- Autodiscover.es – Spain
- Autodiscover.fr – France
- Autodiscover.in – India
- Autodiscover.it – Italy
- Autodiscover.sg – Singapore
- Autodiscover.uk – United Kingdom
All these domains were configured to point to a webserver they controlled, and they began collecting information. They also developed a mechanism that downgrades a client’s authentication scheme from a secure one to HTTP Basic Auth which sends credentials in an easy to capture clear text format. Between April 16, 2021, to August 25, 2021, they captured 372,072 Windows domain credentials in total, with 96,671 unique credentials leaked.
Guardicore Labs lists a couple of mitigation strategies for this information disclosure vulnerability. First, they recommend blocking all Autodiscover.TLD domains (i.e., Autodiscover.com, Autodiscover.cn, etc.) in your firewall. A comprehensive list of all available TLDs is available at https://data.iana.org/TLD/tlds-alpha-by-domain.txt. You should also make certain basic authentication is disabled in Exchange, and if you are using Exchange and Outlook, make sure your Autodiscover domain is configured and working. The vulnerability only occurs when the default domain of Autodiscover.(yourdomain.com) doesn’t respond.
Update Sept 24
After some further testing by the CRU and [others](https://practical365.com/hot-air-and-publicity- for-purported-autodiscover-security-flaw/) we believe the Autodiscover issue is not as severe as originally claimed by Guardicore. So far, no one has been able to reproduce Guardicore’s results. We currently believe that the issue Guardicore observed is most likely due to specific edge case DNS configurations and possibly some third-party mail clients and not an inherent issue in Exchange, Outlook, or the Autodiscover protocol.
Ransomware Hits Big Agriculture
Two U.S. farmers cooperatives have suffered from ransomware attacks this week. Farmer’s feed and grain cooperative NEW Cooperative, with over sixty location throughout Iowa, was the victim of a ransomware attack from BlackMatter, a newer group that appeared on the scenes in late July and is believed to be the successor to DarkSide, the Russian APT group attributed to the Colonial Pipeline attack back in May. According to NEW Cooperative, this attack threatens to affect the software controlling 40% of US grain production, as well as the feed schedule for 11 million animals.
BlackMatter claims to avoid attacking critical infrastructure on their website; however, during the initial negotiation process between BlackMatter and NEW Cooperative the BlackMatter representative responded that they do not “fall under the rules” and instead threated to double the ransom demand, initially at $5.9 million. BlackMatter is also threatening to release a terabyte of stolen data on their darknet data leaks site.
Minnesota farming supply cooperative Crystal Valley was also the victim of a ransomware attack on Sunday. Crystal Valley has 260 employees and provides services to 2500 farmers and livestock producers in Minnesota and Iowa. According to their public notice, “Crystal Valley has been targeted in a ransomware attack. The attack has infected our the computer systems and interrupted the daily operations of our company.
Note: due to this, we are unable to accept Visa, Mastercard, and Discover cards at our cardtrols until further notice. Local cards do work.”
Information regarding the ransom demand and who is responsible have not yet been disclosed. While NEW cooperative has switched to a paper-based system and is still delivering grain, it is likely we will see long-lasting effects from both of these attacks in the price of food in the US.
Bryson Medlock, the Dungeon Master
- https://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/ - https://www.washingtonpost.com/business/2021/09/21/new-cooperative-hack-ransomware/