VMware Cloud Foundation Unauthenticated Remote Code Execution - 20221031002

Overview

VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library. A Proof-of-concept exploit code is available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation.

What is the threat?

Unauthenticated threat actors can exploit it remotely in low-complexity attacks that will not require user interaction. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

• CVE-2021-39144 - An attacker can send a specially crafted XStream marshalled payload with a dynamic proxy and trigger remote code execution in the context of root.

What is vulnerable ?

• VMware Cloud Foundation (NSX-V) 3.11

What has been observed ?

There is no evidence of exploitation affecting Western Australian government networks at the time of publishing.

Recommendation

The Cyber Security Unit recommends Western Australian government organizations immediately:

• Review the VMware security advisories and validate which version of VMware Cloud Foundation your organization is running.
• If your organization is running a vulnerable version, we recommend you to review and follow patch instructions as recommended here.

Reference

• VMSA-2022-0027 VMware Cloud Foundation | VMware
• Applying NSX-V 6.4.14 patch on VMware Cloud Foundation 3.x (89809) | VMware
• Exploit released for critical VMWare RCE vulnerabilty | Bleeping Computer