Security Experts:

VMware vROps Flaws Can Provide 'Unlimited Opportunities' in Attacks on Companies

A couple of serious vulnerabilities patched recently by VMware in its vRealize Operations (vROps) product can pose a significant risk to organizations, according to a researcher involved in the discovery of the security bugs.

The vROps IT operations management product, specifically the vRealize Operations Manager API, is affected by a server-side request forgery (SSRF) vulnerability tracked as CVE-2021-21975, and an arbitrary file write issue tracked as CVE-2021-21983.

According to VMware, the SSRF flaw can allow an attacker with network access to the API to obtain administrative credentials. The second vulnerability allows an authenticated attacker to write files to arbitrary locations on the underlying Photon operating system.

VMware has credited Egor Dimitrenko, a researcher at cybersecurity firm Positive Technologies, for finding the vulnerabilities. Dimitrenko told SecurityWeek that an attacker can chain the vulnerabilities to remotely execute arbitrary code on a server.

The expert warned that in a real-world attack, the vulnerabilities can give threat actors “unlimited opportunities to carry out further attacks on a company's infrastructure.”

VMware has patched the vulnerabilities in all impacted versions of vRealize Operation Manager, as well as in Cloud Foundation and vRealize Suite Lifecycle Manager. Based on their CVSS score, the vulnerabilities should have a severity rating of “high,” but the virtualization giant’s advisory lists them as “critical.”

It’s important that organizations using vROps patch these vulnerabilities as soon as possible as they could end up being exploited for malicious purposes.

In February, hackers started to scan the internet for VMware vCenter servers affected by a critical vulnerability that was also discovered by researchers at Positive Technologies. The scanning began just one day after VMware announced the availability of patches. However, in that case, PoC exploit code was quickly made available and it had been known that thousands of potentially vulnerable servers were directly accessible from the internet.

Related: VMware Patches Vulnerabilities Exploited at Chinese Hacking Contest

Related: Patch for Critical VMware ESXi Vulnerability Incomplete

Related: Vulnerability in VMware vSphere Replication Can Facilitate Attacks on Enterprises

Related: VMware Patches Remote Code Execution Vulnerability in View Planner

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.