VMware has admitted its vRealize Business for Cloud product includes an “unauthorised VAMI API” that can be exploited to achieve remote code execution on the virtual appliance. The security flaw is rated critical, scoring 9.8 on the ten-point Common Vulnerability Scoring System.
VAMI is the vCenter Server Appliance Management Interface, the tool administrators use to drive its flagship vCenter Server Appliance and manage fleets of virtual machines. For VAMI to have an “unauthorised” API that can be abused by miscreants to gain unauthorized control of systems over the network or internet is very scary indeed.
VMware’s advisory does not explain how an unauthorised API made its way into such a sensitive product.
The advisory does reveal that the security slip-up means “a malicious actor with network access may exploit this issue causing unauthorised remote code execution on vRealize Business for Cloud Virtual Appliance.”
That’s scary, too, because vRealize Business for Cloud is aware of the disposition of private and public cloud resources and is billed as offering the chance to “view and update the status of critical internal business processes to understand the overall system health.”
The good news is that only version 7.6 of the product is impacted, although it was released in July 2019. Patches can be accessed here.
VMware has thanked Egor Dimitrenko of Positive Technologies for reporting the vulnerability, which is known as CVE-2021-21984. ®
0 Comments