In the midst of the coordinated U.S. war on ransomware, cybersecurity experts remain on high alert for all types of online attacks, including security holes in commercial software that can be exploited to gain access to private networks and systems. On May 25, 2021, VMware announced the discovery of remote code execution and authentication vulnerabilities in its widely-used virtualization and cloud computing software. Two weeks later, the Cybersecurity and Infrastructure Security Agency (CISA) issued its own alert to government agencies to address the vulnerability as soon as possible. On June 9th the Department of Health and Human Services Office of Civil Rights (OCR) shared the alert with healthcare providers so they can take appropriate action.
What is VMware?
Founded in 1998 and based in California, VMware dominates the virtualization market, which allows technology companies to create and run multiple virtual servers or computers on limited hardware. As many as 75 percent of all organizations that take advantage of hardware virtualization use VMware products. According to CISA, most government agencies with on-premises network management are VMware customers as well.
What is the vulnerability?
VMware disclosed a security vulnerability affecting two of its products: VMware vCenter Server and VMware Cloud Foundation. In its initial security advisory, VMware explains that the plug-in architecture of its client software has a remote code execution vulnerability that would allow a malicious actor "to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server." In its What You Need to Know blog post, VMware puts the issue more simply: "This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access." Tracked within VMware as VMSA-2021-0010, the vulnerability has been given the Common Vulnerabilities and Exposures (CVE) number CVE-2021-21985.
How serious is the threat?
Even before the CISA alert, VMware had deemed the issue a critical vulnerability, which means it could mean "the complete compromise of confidentiality, integrity, and availability of user data and/or processing resources without user interaction." Based on the Common Vulnerability Scoring System (CVSS), it rates a 9.8 out of 10. Although VMware made a software patch available immediately, CISA notes that "unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system." And, based on its observations, "several agencies are showing unpatched instances of these products." "The ramifications of this vulnerability are serious," VMware asserts in its Frequently Asked Questions. In fact, the company notes, the prevalence of ransomware means that it may be trivially easy for an attacker to take advantage of the weakness. "Assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly," VMware says. "This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence."
How should VMware users respond?
CISA's guidance is aimed primarily at government agencies, but its alerts and recommendations are heeded by organizations of all types and sizes. In its alert, CISA calls on "state and local governments, critical infrastructure entities, and other private sector organizations" to "apply the necessary updates as soon as possible, even if out-of-cycle work is required." For its part, VMware says that action is needed "right now" and "at once," deeming the installation of its security patch an "emergency change." "All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so the decision on how to proceed is up to you," the company says. "However, given the severity, we strongly recommend that you act." If for some reason the security patch cannot be installed, VMware provides workarounds to close the security hole in the interim, disabling VMware plugins in vCenter Server.
How to strengthen defenses
The widespread nature and critical rating of VMware's vulnerability serve as a wake-up call that cybersecurity threats can come from anywhere, including software that you explicitly trust to manage your technology. Not updating known software vulnerabilities is a surefire way to open yourself up to a data breach. In March, newly-identified vulnerabilities in Microsoft’s Exchange email service were used against tens of thousands of organizations in the United States alone. Even after a patch was made widely available, over a hundred thousand Exchange servers were still not updated weeks later. Time will tell how many HIPAA violations, lawsuits, and fines this leads to. As VMware notes, ransomware and phishing are common ways hackers get past external defenses and compromise systems from the inside.
Paubox Email Suite Premium provides our highest level of email protection and requires no change in user behavior. No extra logins, passwords, or portals. With our HITRUST CSF certified solution, all emails are encrypted directly from your existing email platform (such as Microsoft 365 and Google Workspace). Malicious inbound emails are blocked even before reaching an employee’s inbox. Our Premium package also comes with ExecProtect, built to stop display name spoofing, and Zero Trust Email requires an additional piece of evidence to authenticate every single email before being delivered to your team’s inboxes. Premium also comes with data loss prevention (DLP), which stops unauthorized employees from transmitting sensitive data outside an organization, and email archiving. Paubox Email Suite also enables you and your employees to send HIPAA compliant email directly to your recipients' inboxes.