VMware has addressed a excessive severity unauth RCE vulnerability in VMware View Planner, permitting attackers to abuse servers working unpatched software program for distant code execution.
View Planner is a free software for benchmarking desktop shopper and server-side efficiency in Digital Desktop Infrastructure environments.
The vulnerability was found and reported to VMware by Optimistic Applied sciences net software safety skilled Mikhail Klyuchnikov.
Improper validation of file extensions
CVE-2021-21978 might be exploited remotely by unauthenticated attackers in low complexity assaults that do not require consumer interplay.
The flaw is attributable to improper validation of file extensions as a consequence of improper enter validation and lack of authorization bugs within the logupload net software.
Efficiently exploiting VMware View Planner 4.x situations previous to 4.6 Safety Patch 1 might permit distant attackers to add arbitrary information through specially-crafted HTTP requests.
The attackers can then execute the uploaded information to run arbitrary malicious code on the compromised servers throughout the logupload container.
Attackers scanning for weak VMware servers
Final month, VMware addressed one other vulnerability (CVE-2021-21972) reported by Klyuchnikov, a critical RCE bug within the vCenter Server plugin affecting all default vCenter Consumer installations.
“The vSphere Consumer (HTML5) incorporates a distant code execution vulnerability in a vCenter Server plugin,” VMware stated.
“A malicious actor with community entry to port 443 might exploit this situation to execute instructions with unrestricted privileges on the underlying working system that hosts vCenter Server.”
Attackers began mass scanning for weak and Web-exposed VMware vCenter servers inside two days after safety researchers printed proof-of-concept (PoC) exploit code.