Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing
Application vulnerability detection firm Wallarm Detect warns of ongoing exploitation of a critical flaw in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V).
Tracked as CVE-2021-39144 (CVSS score of 9.8), the issue was disclosed in October 2022, when VMware announced patches for it, although the affected product had reached end-of-life (EOL) status in January 2022.
“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” VMware said at the time.
The security defect was identified in the XStream open source library that supports the serialization of objects to XML and back. The vulnerability impacts XStream version 1.4.17 and older.
VMware announced patches for this vulnerability on October 25. Two days later, the company updated its advisory to warn that proof-of-concept (PoC) code targeting the vulnerability had been released.
The issue was addressed along with CVE-2022-31678, a medium-severity XML External Entity (XXE) flaw that could allow an unauthenticated attacker to cause a denial-of-service (DoS) condition.
On Monday, Wallarm Detect revealed that, since December 2022, it has been observing ongoing exploitation of these vulnerabilities in the VMware NSX Manager network virtualization and security solution.
“Active exploitation started on 2022-Dec-08 and keeps going. Attackers are scanning from well-known data centers like Linode and Digital Ocean – over 90% of the attacks are coming from their IP addresses,” the security firm says.
Wallarm Detect says it observed a peak in exploitation attempts in late December, at over 4,600 attacks per day, but that the number decreased in late January, to an average of 500 attacks per day.
“If successfully exploited, the impact of these vulnerabilities could be catastrophic, allowing attackers to execute arbitrary code, steal data, and/or take control of the network infrastructure,” the company notes.
It is also worth noting that Wallarm Detect is assessing the severity of these two vulnerabilities differently than VMware. In NSX Manager, the firm says, CVE-2022-31678 has a CVSS score of 9.1, which makes it critical, while CVE-2021-39144 has a CVSS score of 8.5, making it ‘high severity’.
Related: VMware Plugs Critical Carbon Black App Control Flaw
Related: VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
Related: High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation