ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

VMware vCenter Scan - CVE-2021-21972

Risk Factors

This vCenter vulnerability is well known and minimal skill is required to scan for this vulnerability. A scan is not dangerous to the network, but an attacker can learn whether a vCenter server is vulnerable to remote code execution (RCE).

Kill Chain

Reconnaissance

Risk Score

37

Detection diagram
Next in Reconnaissance: Web Directory Scan

Attack Background

The VMware vSphere Client (HTML5) component of VMware vCenter enables management of virtual environments for Windows and Linux hosts. vCenter has plugins that manage authorization for the vSphere Client connections. A vulnerability in the vRealize Operations (vROPS) plugin allows an unauthenticated attacker with network access to a vSphere Client to upload malicious files to the vCenter server. Before exploiting a target, the attacker must first confirm that the target is vulnerable. The attacker scans for the vulnerability by sending an HTTP GET request to the /uploadova endpoint. A patched server should respond with an “access denied” error (such as 403 or 401). Instead, a vulnerable server responds with a “method not allowed” (such as 405) error.

Mitigation Options

Upgrade to a fixed version, or configure devices to mitigate CVE-2021-21972

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right