PoC Exploit Released for VMware vCenter Server RCE Vulnerability

A proof-of-concept (PoC) exploit has been released for a critical vulnerability in the VMware vCenter Server, potentially allowing authenticated remote code execution.

The vulnerability, identified as CVE-2024-22274, affects the vCenter Server’s API components and has been assigned a CVSSv3 base score of 7.2, placing it in the “Important” severity range.

EHA

The exploit targets two specific API components: “com.vmware.appliance.recovery.backup.job.create” and “com.vmware.appliance.recovery.backup.validate“. These components are vulnerable to a flag injection attack that can be leveraged to execute arbitrary commands as the root user on the target system.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Security researcher Matei “Mal” Badanoiu of Deloitte Romania, who reported the vulnerability to VMware, demonstrated the exploit by logging into the vCenter Server restricted shell via SSH as a user with the “admin” role.

By manipulating the “–username” field in specific API commands, Badanoiu was able to inject malicious SSH flags and execute arbitrary commands with root privileges.

The PoC exploits the ability to create new local users with SSH access and sudo privileges, effectively providing a pathway for attackers to gain full control of the affected system.

Root Access

VMware has acknowledged the vulnerability and recommends that users apply the updates listed in their response matrix’s ‘Fixed Version’ column to affected deployments. Currently, no workarounds are available, emphasizing the importance of promptly applying the security patches.

This vulnerability underscores the critical nature of maintaining up-to-date security measures in virtualization environments. Organizations using VMware vCenter Server are strongly advised to assess their systems and apply the necessary updates to mitigate the risk of potential exploitation.

How can I check the current version of my vCenter Server?

To check the current version of your vCenter Server, you can follow these steps:

  1. Log in to the vSphere Client: Access your vCenter Server through the web-based vSphere Client interface.
  2. Navigate to the vCenter Server appliance: In the inventory tree, locate and select your vCenter Server appliance.
  3. Check the Summary tab: Once you’ve selected the vCenter Server appliance, look for the “Summary” tab. This tab typically displays essential information about the appliance, including its version.
  4. Look for version information: In the Summary tab, you should see a section that shows the vCenter Server version. It’s usually displayed prominently and includes both the major version number and the build number.
  5. Alternative method – Use the appliance shell:
  • Connect to the vCenter Server Appliance shell using SSH.
  • Once connected, run the following command:
    vpxd -v
    This command will display the full version and build number of your vCenter Server.

Check via the Managed Object Browser (MOB):

    • Access the MOB by navigating to https:///mob in a web browser.
    • Log in with administrative credentials.
    • Navigate to content > about
    • Look for the “version” property, which will show the full version number.

    Remember, in the context of the vulnerability CVE-2024-22274, the affected version is 8.0.0.10200. If your vCenter Server is running this version or an earlier one, it may be vulnerable, and you should consider applying the security updates provided by VMware as soon as possible.

    "Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

    Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.