By Satnam Narang, Staff Research Engineer, Tenable
Researchers have disclosed a pair of vulnerabilities in VMware’s vRealize Operations (vROPs). When chained together, these vulnerabilities can lead to unauthenticated remote code execution in vRealize Operations.
“The most severe flaw, CVE-2021-21975, is a server-side request forgery (SSRF) vulnerability in the vROPs Manager API. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable vROPs Manager API endpoint. Successful exploitation would result in the attacker obtaining administrative credentials.
“VMware also patched CVE-2021-21983, an arbitrary file write vulnerability in the VROPs Manager API, which can be used to write files to the underlying operating system. This vulnerability is post-authentication, meaning an attacker needs to be authenticated with administrative credentials in order to exploit this flaw.
“While on their own, these vulnerabilities may not seem as severe as CVE-2021-21972, a remote code execution vulnerability in VMware’s vCenter Server that was patched in February. However, if attackers chain both CVE-2021-21975 and CVE-2021-21983 together, they could also gain remote code execution privileges.
“VMware has provided patches for both flaws across vROPs Manager versions 7.5.0 through 8.3.0. They’ve also provided a temporary workaround to prevent attackers from exploiting these flaws. The workaround should only be used as a temporary stop-gap until organizations are able to plan for applying the patches.”