External risk intelligence

VMware vRealize Operations Manager API Credential Theft Risk.

CVE advisoryKnown Exploit

CVE-2021-21975

A Server-Side Request Forgery vulnerability in the VMware vRealize Operations Manager API allows a malicious actor with network access to steal administrative credentials. This poses a business risk of unauthorized access and potential data compromise.

3Halo Surface Signal

Server-Side Request Forgery

Vmware Cloud Foundation

3.03.0.13.0.1.13.53.5.13.73.7.13.7.23.83.8.13.93.9.13.104.04.0.17.0.07.5.08.0.08.0.18.1.08.1.18.2.08.3.08.08.18.2

External exposure likelihood

Halo Surface Signal score for CVE-2021-21975

The vulnerability affects the vRealize Operations Manager API. While these management interfaces are typically deployed within internal administrative or data center segments, they are sometimes exposed to the internet or accessible via remote access gateways in certain enterprise environments, making them plausibly reachable, though they are not intended for public-facing use by design.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the vRealize Operations Manager API could allow unauthorized individuals to access sensitive information. This flaw is related to how the API handles requests, potentially enabling attackers to bypass security measures. The impact can include the compromise of administrative credentials, which could lead to further unauthorized access and disruption of business operations.

  • vRealize Operations Manager API
  • Flaw allows credential theft
  • Business risk and unauthorized access

Attack Path

How an attacker could exploit the issue

A Server-Side Request Forgery vulnerability in the vRealize Operations Manager API can be exploited by a malicious actor. This allows the attacker to gain unauthorized access to administrative credentials by tricking the affected system into making requests on their behalf. The impact is the potential compromise of sensitive credentials, which could lead to further unauthorized access or data breaches.

  • Network access to the API is required.
  • An attacker sends a crafted API request.
  • The system exposes administrative credentials.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability in vRealize Operations Manager API could permit attackers to steal administrative credentials by exploiting a Server Side Request Forgery flaw. This type of attack allows unauthorized access to sensitive information, potentially compromising system security. The high severity and known exploitation indicate a significant business risk.

  • Likely attacker skill level: Basic
  • Required access or conditions: Network access to API
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the vRealize Operations Manager API could enable unauthorized actors to steal administrative credentials. Organizations should prioritize identifying and securing affected systems. This involves locating all instances of the affected vRealize Operations Manager API, implementing measures to reduce potential exposure, applying the vendor's security updates, and verifying successful remediation. Continuous monitoring for related security events is also recommended.

  • Identify all instances of the affected API.
  • Reduce exposure or isolate risk.
  • Apply vendor fix, verify, and monitor.

Frequently asked questions

What is the VMware vRealize Operations Manager API?

The VMware vRealize Operations Manager API is a component of VMware's vRealize Operations platform, which is designed for managing and monitoring IT operations across private, hybrid, and multi-cloud environments. It facilitates the automation and integration of tasks related to virtualized infrastructure and cloud operations.

What type of vulnerability does CVE-2021-21975 represent?

CVE-2021-21975 is a Server-Side Request Forgery (SSRF) vulnerability. This means an attacker can trick the application into making unintended requests to internal or external resources, potentially leading to the theft of administrative credentials.

How can CVE-2021-21975 be exploited?

An attacker with network access to the vRealize Operations Manager API can send a crafted API request, specifically targeting the '/casa/nodes/thumbprints' URI, to exploit this vulnerability. This is possible due to a lack of sanitization in the handling of incoming HTTP requests. In versions prior to 8.3, the server would send the 'maintenanceAdmin' account credentials in the Authorization header.

What is the relevance of CVE-2021-21975 in the context of Halo Surface Signal?

The Halo Surface Signal indicates a 'Possible' risk for CVE-2021-21975 because while vRealize Operations Manager APIs are typically internal, they can sometimes be exposed externally or accessible via remote access gateways, making them plausibly reachable by attackers.

What steps should be taken to address CVE-2021-21975?

Organizations should apply security updates provided by VMware to remediate CVE-2021-21975. If immediate patching is not feasible, a workaround involves removing a specific configuration line from the 'casa-security-context.xml' file and restarting the CaSA service. Continuous monitoring for related security events is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified