VMware patches the vulnerability with a severity rating of 9.8/10 at Cloud Foundation

Exploit code was released this week for a newly patched vulnerability in VMware Cloud Foundation and NSX Manager appliances that allows unauthenticated hackers to execute malicious code with the highest system privileges.

VMware patched up the vulnerability, tracked as CVE-2021-39144, on Tuesday and assigned a severity rating of 9.8 out of a possible 10. The vulnerability, which resides in the XStream open-source library that Cloud Foundation and NSX Manager rely on, caused a major the risk that VMware took the unusual step of patching versions that were no longer supported. The vulnerability affects Cloud Foundation version 3.11 and below. Versions 4.x are not threatened.

“VMware Cloud Foundation contains a remote code execution vulnerability via the XStream open source library,” the company said in an advisory published Tuesday. “Due to an unauthenticated endpoint using XStream to serialize input to VMware Cloud Foundation (NSX-V), a malicious actor could obtain remote code execution in the ‘root’ context on a device.”

The vulnerability was discovered by Sina Heirkach and Steven Seeley of the security firm Source Incite. At the same time, VMware disclosed and fixed the vulnerability, Kheirkhah published their own recommendationswhich included the following proof-of-concept exploit.

“XStream <= 1.4.18 has untrusted data deserialization tracked as CVE-2021-39144," Heirkha wrote. “VMWare NSX Manager uses the xstream-1.4.18.jar package, so it is vulnerable to this deserialization vulnerability. All we need to do is find an endpoint that can be reached from an unauthenticated context to trigger the vulnerability. I found the authenticated case, but after showing it to Steven, he found it somewhere else in the /home/secureall/secureall/sem/WEB-INF/spring/security-config.xml configuration. This particular endpoint has been pre-authenticated due to the use of isAnonymous."

“isAnonymous” is a boolean function that indicates that a particular account is anonymous.

With exploit code in place, a vulnerability of this level could pose a serious threat to many organizations. Anyone using a damaged appliance should prioritize repair as soon as possible. Organizations that cannot patch immediately can apply this a temporary workaround.