A recent vulnerability found in VMware vCenter server, assigned CVE-2021-21972. The vulnerability allows non-authorized clients to execute arbitrary commands and send requests on behalf of the targeted server via file upload.
Vulnerability Description:
You can read more about it in blogpost published by PT SWARM in the following link:
https://swarm.ptsecurity.com/unauth-rce-vmware/
Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.
Below are manual mitigation steps to address VMware vCenter Exploitation (for On-Prem customers):
- Create a new manual dictionary or use an existing one
- Create a new signatures (inside the dictionary from the previous step) with the following definition:
- Signature name:
- CVE-2021-21972: VMWare Vcenter - File upload
- Signature pattern:
part="/ui/vropspluginui/rest/services/uploadova", part="uploadFile", rgxp="uploadFile\s?\="
- Protocols:
http
https
- Search Signature in:
Urls And Parameters
3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it
#On-PremisesWAF(formerlySecuresphere)