cbcvebase.
CVE-2021-21978
published 2021-03-03

CVE-2021-21978: VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
98.95%
99.9th percentile
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.

Affected

2 ranges
VendorProductVersion rangeFixed in
vmwareview_planner
vmwareview_planner>= 4.0 < 4.64.6

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /logupload?logMetaData=%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D
path/logupload
filenamelog_upload_wsgi.py
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M2"; flow:established,to_server; http.request_line; content:"POST /logupload"; startswith; fast_pattern; http.request_body; content:"name=|22|logMetaData|22|"; content:"itrLogPath"; content:"name=|22|logfile|22 3b|"; content:"log_upload_wsgi.py"; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:url,attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece; reference:cve,2021-21978; classtype:attempted-admin; sid:2032008; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Datacenter, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_15;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1"; flow:established,to_server; http.request_line; content:"POST /logupload?logMetaData="; startswith; fast_pattern; content:"itrLogPath"; content:"log_upload_wsgi.py"; http.request_body; content:"name=|22|logfile|22 3b|"; reference:url,paper.seebug.org/1495/; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:cve,2021-21978; classtype:attempted-admin; sid:2032009; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_15;)
  • Exploit sends a POST request to /logupload with a JSON-encoded logMetaData parameter containing a path traversal in itrLogPath and logFileType set to 'log_upload_wsgi.py' to overwrite the WSGI handler with attacker-controlled content.
  • Multipart upload uses the boundary '----WebKitFormBoundarySHHbUsfCoxlX1bpS' and a form field named 'logfile'; presence of both in a POST to /logupload is a strong exploit indicator.
  • A successful exploitation response returns HTTP 200 with the exact body 'File uploaded successfully.' (28 bytes). Alert on this response to /logupload POST requests.
  • The Metasploit module targets the unauthenticated log file upload in log_upload_wsgi.py; successful exploitation results in RCE as the apache user inside the appacheServer Docker container.
  • ET Snort SID 2032008 (M2) triggers on POST /logupload with request body containing both 'name="logMetaData"' and 'name="logfile";' alongside 'itrLogPath' and 'log_upload_wsgi.py'.
  • ET Snort SID 2032009 (M1) triggers on POST /logupload?logMetaData= in the request line, with 'itrLogPath' and 'log_upload_wsgi.py' in the URI, and 'name="logfile";' in the body.
  • ·The Nuclei template uses a static multipart boundary ('----WebKitFormBoundarySHHbUsfCoxlX1bpS') and a fixed payload ('POC_TEST'); real exploits will vary the boundary and payload content, so boundary-based detection alone is insufficient.
  • ·ET rule M2 (sid:2032008) is tagged 'deployment SSLDecrypt', meaning it will not fire on TLS-encrypted traffic unless SSL inspection is enabled.
  • ·ET rule M1 (sid:2032009) is also tagged 'deployment SSLDecrypt'; both rules require SSL decryption to be effective against HTTPS-protected View Planner deployments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.