Positive Technologies expert Egor Dimitrenko discovered a high-severity vulnerability in the VMware vSphere Replication data replication tool. This solution allows organizations to create backups of virtual machines and run them if the main virtual machine reports a failure. The bug could have allowed attackers with access to the VMware vSphere Replication administration web interface to execute arbitrary code on the server with maximum privileges and start lateral movement on the network to seize control of the corporate infrastructure.

VMware has fixed the vulnerability that could have allowed remote command execution on the server. The security flaw is known as CVE-2021-21976 and has a CVSS v3 score of 7.2.

“Vulnerabilities that allow this kind of attack (command injection), can quite often be found in products for administration,” Egor Dimitrenko explains. “Such errors are usually caused by insufficient verification of user input, which subsequently fall into the context of the system command call. Mechanisms to prevent such attacks are normally built into the developer tools, protecting against the possibility of code errors. Nevertheless, there are still anomalies in the code that occurred, for example, when hastily implementing new functionality or as a result of eliminating an existing problem during hotfixes. To exploit the vulnerability found in the VMware product, attackers need credentials. These can be obtained due to the use of weak passwords or by means of social engineering.”

Organizations should follow the recommendations from VMware's official notice to fix the vulnerability. If it is not possible to install an update, then organizations can detect signs of penetration using SIEM solutions that help identify suspicious behavior on the server, register an incident, and prevent the intruders from moving laterally within the corporate network in a timely manner (this is how MaxPatrol SIEM works).

In September 2020, Positive Technologies discovered vulnerabilities of the same class (enabling command injection) in PAN-OS, the operating system used by Palo Alto Networks' next-generation firewalls (NGFW).