Blog Viewer

Manual Mitigation for CVE-2021-21972

By Patrick Mccrudden(csp) posted 03-02-2021 10:28

  

A recent vulnerability found in VMware vCenter server, assigned CVE-2021-21972. The vulnerability allows non-authorized clients to execute arbitrary commands and send requests on behalf of the targeted server via file upload.

 

Vulnerability Description:
You can read more about it in blogpost published by PT SWARM in the following link:
https://swarm.ptsecurity.com/unauth-rce-vmware/

 

Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.

 

Below are manual mitigation steps to address VMware vCenter Exploitation (for On-Prem customers):

 

  1. Create a new manual dictionary or use an existing one
  2. Create a new signatures (inside the dictionary from the previous step) with the following definition:

 

  • Signature name:
  • CVE-2021-21972: VMWare Vcenter - File upload
  • Signature pattern:

part="/ui/vropspluginui/rest/services/uploadova", part="uploadFile", rgxp="uploadFile\s?\="

  • Protocols:
    http
    https
  • Search Signature in:

Urls And Parameters

 

       3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it  


#On-PremisesWAF(formerlySecuresphere)
0 comments
501 views

Permalink