CVE-2021-21978
published 2021-03-03CVE-2021-21978: VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
98.95%
99.9th percentile
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | view_planner | — | — |
| vmware | view_planner | >= 4.0 < 4.6 | 4.6 |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /logupload?logMetaData=%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D↗
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M2"; flow:established,to_server; http.request_line; content:"POST /logupload"; startswith; fast_pattern; http.request_body; content:"name=|22|logMetaData|22|"; content:"itrLogPath"; content:"name=|22|logfile|22 3b|"; content:"log_upload_wsgi.py"; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:url,attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece; reference:cve,2021-21978; classtype:attempted-admin; sid:2032008; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Datacenter, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_15;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1"; flow:established,to_server; http.request_line; content:"POST /logupload?logMetaData="; startswith; fast_pattern; content:"itrLogPath"; content:"log_upload_wsgi.py"; http.request_body; content:"name=|22|logfile|22 3b|"; reference:url,paper.seebug.org/1495/; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:cve,2021-21978; classtype:attempted-admin; sid:2032009; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_15;)
- →Exploit sends a POST request to /logupload with a JSON-encoded logMetaData parameter containing a path traversal in itrLogPath and logFileType set to 'log_upload_wsgi.py' to overwrite the WSGI handler with attacker-controlled content. ↗
- →Multipart upload uses the boundary '----WebKitFormBoundarySHHbUsfCoxlX1bpS' and a form field named 'logfile'; presence of both in a POST to /logupload is a strong exploit indicator. ↗
- →A successful exploitation response returns HTTP 200 with the exact body 'File uploaded successfully.' (28 bytes). Alert on this response to /logupload POST requests. ↗
- →The Metasploit module targets the unauthenticated log file upload in log_upload_wsgi.py; successful exploitation results in RCE as the apache user inside the appacheServer Docker container. ↗
- →ET Snort SID 2032008 (M2) triggers on POST /logupload with request body containing both 'name="logMetaData"' and 'name="logfile";' alongside 'itrLogPath' and 'log_upload_wsgi.py'.
- →ET Snort SID 2032009 (M1) triggers on POST /logupload?logMetaData= in the request line, with 'itrLogPath' and 'log_upload_wsgi.py' in the URI, and 'name="logfile";' in the body.
- ·The Nuclei template uses a static multipart boundary ('----WebKitFormBoundarySHHbUsfCoxlX1bpS') and a fixed payload ('POC_TEST'); real exploits will vary the boundary and payload content, so boundary-based detection alone is insufficient. ↗
- ·ET rule M2 (sid:2032008) is tagged 'deployment SSLDecrypt', meaning it will not fire on TLS-encrypted traffic unless SSL inspection is enabled.
- ·ET rule M1 (sid:2032009) is also tagged 'deployment SSLDecrypt'; both rules require SSL decryption to be effective against HTTPS-protected View Planner deployments.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cmcw-cw5c-rg22: VMware View Planner 4
ghsa_unreviewed·2022-05-24
CVE-2021-21978 [CRITICAL] CWE-434 GHSA-cmcw-cw5c-rg22: VMware View Planner 4
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.
VulnCheck
VMware view_planner Improper Input Validation
vulncheck·2021·CVSS 9.8
CVE-2021-21978 [CRITICAL] VMware view_planner Improper Input Validation
VMware view_planner Improper Input Validation
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.
Affected: VMware view_planner
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-03&host_type=src&vulnerability=cve-2021-21978; https
Suricata
ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M2
suricata·2021-03-15·CVSS 9.8
CVE-2021-21978 [CRITICAL] ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M2
ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M2
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M2"; flow:established,to_server; http.request_line; content:"POST /logupload"; startswith; fast_pattern; http.request_body; content:"name=|22|logMetaData|22|"; content:"itrLogPath"; content:"name=|22|logfile|22 3b|"; content:"log_upload_wsgi.py"; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:url,attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece; reference:cve,2021-21978; classtype:attempted-admin; sid:2032008; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Datacenter, deployment SSLDecrypt
Suricata
ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1
suricata·2021-03-15·CVSS 9.8
CVE-2021-21978 [CRITICAL] ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1
ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1"; flow:established,to_server; http.request_line; content:"POST /logupload?logMetaData="; startswith; fast_pattern; content:"itrLogPath"; content:"log_upload_wsgi.py"; http.request_body; content:"name=|22|logfile|22 3b|"; reference:url,paper.seebug.org/1495/; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:cve,2021-21978; classtype:attempted-admin; sid:2032009; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Majo
Nuclei
VMware View Planner <4.6 SP1- Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-21978 [CRITICAL] VMware View Planner <4.6 SP1- Remote Code Execution
VMware View Planner <4.6 SP1- Remote Code Execution
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability due to improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.
An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted
file leading to remote code execution within the logupload container.
Template:
id: CVE-2021-21978
info:
name: VMware View Planner <4.6 SP1- Remote Code Execution
author: dwisiswant0
severity: critical
description: |
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability due to improper input validation and lack of authorization leading to arbitrary file uplo
Metasploit
VMware View Planner Unauthenticated Log File Upload RCE
metasploit
VMware View Planner Unauthenticated Log File Upload RCE
VMware View Planner Unauthenticated Log File Upload RCE
This module exploits an unauthenticated log file upload within the log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 Security Patch 1. Successful exploitation will result in RCE as the apache user inside the appacheServer Docker container.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161879/VMware-View-Planner-4.6-Remote-Code-Execution.htmlhttps://www.vmware.com/security/advisories/VMSA-2021-0003.htmlhttp://packetstormsecurity.com/files/161879/VMware-View-Planner-4.6-Remote-Code-Execution.htmlhttps://www.vmware.com/security/advisories/VMSA-2021-0003.html
2021-03-03
Published
Exploited in the wild