Freely subscribe to our NEWSLETTER

Affected Versions

• vCenter Server 6.5.0 before 6.5.0 build 17994927
• vCenter Server 6.7.0 before 6.7.0 build 18010531
• vCenter Server 7.0.0 before 7.0.2 build 17958471
• Cloud Foundation vCenter Server 3.x before 3.10.2.1 build 18015401
• Cloud Foundation vCenter Server 4.x before 4.2.1 build 18016307

Using Shodan for recon

vCenter Server is a centralized management utility to manage virtual machines, ESXi hosts, and other dependent components. vCenter Server is used by many companies to manage their infrastructure making it a possible attack initiation point. VMWare mentioned that these issues needed immediate attention in their blog[2] so we decided to review Shodan for a quick analysis on the number of vCenter Server instances directly connected to the Internet that are vulnerable to these flaws based on their self-reported version.
On Shodan, there are 5,271 instances of VMWare vCenter Server that are directly connected to Internet.

Majority of these instances are running versions 6.7.0, 6.5.0, and 7.0.x. (Figure 2)

Other stats show that top ports are probably using SSL/TLS, with port 443 the most used:

So far, we have been able to gather information about the product, version and ports. But how do we know if a host is vulnerable or what percentage of those hosts are vulnerable? Shodan provides downloadable data that contains banners and other valuable information for each host. Figure 4 lists the command to download information.

Once data has been downloaded, we can use the parse option from shodan-cli to get information such as port number and version of the server (Figure 5). The build number is found in the HTTP response (Figure 6) as well as an object vmware in the JSON file (Figure 7). The os_type can be used to determine the Operating System (OS) of the server, for this example majority of the hosts are using Linux.

Hosts vulnerable to vCenter Server vulnerabilities
The downloaded data from Shodan is a compressed JSON file which can be parsed using simple scripts to check if the host’s version is affected by these vulnerabilities.

Unfortunately, most of those “not vulnerable” 950 (19.12%) hosts are old versions (e.g., 2.5.0, 4.0.0, and other end of life (EOL)), and only eight hosts have versions that are supported. Implying that majority of these are not patched since they are unsupported.

The best way to protect your server is by applying the patch provided by VMware. This is the fastest and recommended way to remove the vulnerability completely. However, if you can’t patch immediately, you should add the following lines under "pluginsCompatibility" element in your compatibility-matrix.xml file:

Then stop and restart the “vsphere-ui” service. This will disable the plugins affected by these vulnerabilities. Please consider checking the importance of these plugins from your system before disabling them. See more details and tips for patching from VMware’s blog post[2] and article[3].

Trustwave Security Testing Services customers can detect vulnerable instances of VMware vCenter Server on their managed and self-service vulnerability scans.

References
[1] https://www.vmware.com/security/advisories/VMSA-2021-0010.html
[2] https://blogs.vmw are.com/vsphere/2021/05/vmsa-2021-0010.html
[3] https://kb.vmware.com/s/article/83829