-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream [CVE-2021-39144] #17222
Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream [CVE-2021-39144] #17222
Conversation
Addresses suggestion-module issue: #17198 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution @h00die-gr3y ! I just left a few minor comments for you to review when you get a chance.
I don't have a valid VMware subscription and couldn't download the software to test your module. Would you mind recording a PCAP (with Wireshark or similar) and send it to us at msfdev [at] metasploit.com
? Please, also include the msfconsole
output with the option HttpTrace
set to true
. Thanks!
modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb
Outdated
Show resolved
Hide resolved
…_39144.rb Agreed ! Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
…_39144.rb Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
…_39144.rb Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
…_39144.rb Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
…_39144.rb Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
…_39144.rb Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
…_39144.rb Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
|
Thank you for the files you sent @h00die-gr3y! I reviewed the console output/PCAP and everything looks good to me. I'll go ahead and land it. |
Release NotesThis adds an exploit module that leverages a Remote Command Injection vulnerability in VMware Cloud Foundation 3.x and NSX Manager Data Center for vSphere up to and including version 6.4.13. This vulnerability is identified as CVE-2021-39144. |
Thanks guys ! Pleasure working with you all again... |
VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of
root
on the appliance.VMware Cloud Foundation
3.x
and more specific NSX Manager Data Center for vSphere up to and including version6.4.13
are vulnerable to Remote Command Injection.This module has been tested against VMware NSX Manager (NSX-V) with the specifications listed below:
6.4.13
6.4.4
Verification
Follow these instructions to install a vulnerable VMware NSX Manager on VirtualBox.
VMware-NSX-Manager-6.4.13-19307994.ova
https://<nsx-manager-ip>
admin
, password:default
msfconsole
use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
set rhosts <target host ip>
set lhost <attacker host ip>
exploit
Limitations
The vulnerability check is limited in detecting that VMWare NSX Manager (NSX-V) is running without obtaining the version information.
However all VMware NSX Manager versions up to
6.4.13
are vulnerable, except for6.4.14
, so most detected targets are likely to be vulnerable.