The company said users who are able to update their vCenter software should do so ‘right now’ to protect themselves from attacks.
VMware has issued a patch for a “critical security advisory” in its vCenter Server software, which it says users need to install “right now”.
The advisory, which the company is calling VMSA-2021-0020, comprises 19 individual security vulnerabilities including one that potentially allows malicious actors to “execute commands and software” in vCenter server management software using a file upload vulnerability.
The most serious flaw potentially allows for relatively simple ‘zero-click’ attacks, which can succeed without a user doing anything. There are also a number of flaws potentially of use to an attacker who already has access to a network.
“One of the biggest problems facing IT today is that attackers often compromise a desktop and/or user account on the corporate network, and then patiently and quietly use that to break into other systems over long periods of time,” VMware said in a blog post.
“They steal confidential data, intellectual property, and at the end install ransomware and extort payments from their victims.
“In this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.”
The problem affects vCenter Server versions 6.5, 6.7 and 7.0.
The Register notes that it “cannot recall the company issuing so many documents, using such strong language, to respond to any previous flaw”, underscoring the seriousness of the issue.
VMware is advising users capable of updating vCenter to do so immediately. For those who can’t, the company has issued a workaround, but it only addresses the most critical of the security issues, and not the lesser ones that may still present vulnerabilities from inside networks.
A report by Palo Alto networks last month found that the average ransomware pay-out is now approximately $570,000 and that attackers are increasingly employing multi-prong strategies to pressure target organisations into paying ransoms.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.