CVE-2021-21978
📋 TL;DR
This vulnerability allows unauthenticated attackers with network access to VMware View Planner Harness to upload and execute arbitrary files, leading to remote code execution within the logupload container. It affects VMware View Planner 4.x installations prior to version 4.6 Security Patch 1. Organizations using vulnerable versions are at risk of complete system compromise.
💻 Affected Systems
- VMware View Planner
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining persistent access, data exfiltration, lateral movement to other systems, and deployment of ransomware or other malware.
Likely Case
Initial foothold leading to privilege escalation, credential harvesting, and deployment of backdoors for persistent access.
If Mitigated
Limited impact due to network segmentation, proper authentication controls, and monitoring preventing successful exploitation.
🎯 Exploit Status
Exploit code is publicly available and requires minimal technical skill to execute. The vulnerability is actively exploited in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6 Security Patch 1
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0003.html
Restart Required: Yes
Instructions:
1. Download VMware View Planner 4.6 Security Patch 1 from VMware's official portal. 2. Apply the patch following VMware's installation guide. 3. Restart the View Planner services to ensure the patch is fully applied.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to View Planner Harness to only trusted IP addresses or internal networks.
Use firewall rules to block external access to port 443/tcp (or the configured HTTPS port) on the View Planner server.
Disable Logupload Service
allTemporarily disable the vulnerable logupload web application if not required for operations.
Stop the logupload service: systemctl stop logupload (Linux) or equivalent service stop command for your OS.
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to the View Planner Harness.
- Deploy web application firewalls (WAF) with rules to block file upload attempts to the logupload endpoint.
🔍 How to Verify
Check if Vulnerable:
Check the View Planner version via the web interface or configuration files. If version is 4.x and not 4.6 Security Patch 1 or later, it is vulnerable.Check Version:
Check the version in the View Planner admin interface or review the release notes in the installation directory.Verify Fix Applied:
Verify the installed version is 4.6 Security Patch 1 or later. Test by attempting to access the logupload endpoint with unauthorized requests to confirm it's blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /logupload endpoint
- Unauthorized access attempts to the logupload service
- Execution of unexpected processes in the logupload container
Network Indicators:
- HTTP POST requests to /logupload with file uploads from untrusted sources
- Outbound connections from the View Planner server to unknown IPs post-exploitation
SIEM Query:
source="view-planner-logs" AND (url="/logupload" OR process="unexpected-executable")🔗 References
- http://packetstormsecurity.com/files/161879/VMware-View-Planner-4.6-Remote-Code-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2021-0003.html
- http://packetstormsecurity.com/files/161879/VMware-View-Planner-4.6-Remote-Code-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2021-0003.html
