A recent vulnerability found in VMware vCenter server, assigned CVE-2021-21972. The vulnerability allows non-authorized clients to execute arbitrary commands and send requests on behalf of the targeted server via file upload.
You can read more about it in blogpost published by PT SWARM in the following link:
Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.
Below are manual mitigation steps to address VMware vCenter Exploitation (for On-Prem customers):
- Create a new manual dictionary or use an existing one
- Create a new signatures (inside the dictionary from the previous step) with the following definition:
- Signature name:
- CVE-2021-21972: VMWare Vcenter - File upload
- Signature pattern:
part="/ui/vropspluginui/rest/services/uploadova", part="uploadFile", rgxp="uploadFile\s?\="
- Search Signature in:
Urls And Parameters
3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it #On-PremisesWAF(formerlySecuresphere)