Active attacks exploiting old bugs in VMware NSX Manager spike

Ongoing attacks attempting to exploit critical vulnerabilities in VMware NSX Manager are on the upswing, with 40,000 reported attempts over the last two months, researchers warn. 

The flaws are not new, however API security firm Wallarm found that unprotected and compromised systems could lead to “catastrophic” consequences, allowing attackers to execute arbitrary code, steal data and take control of network infrastructure.

The two bugs (CVE-2021-39144 and CVE-2022-31678) work in tandem, allowing adversaries to compromise unpatched VMware NSX systems, said Wallarm in a Monday report.

"Active exploitation started on 2022-Dec-08 and keeps going,” Wallarm said. "Attackers are scanning from well-known data centers like Linode and Digital Ocean - Over 90 percent of the attacks are coming from their IP addresses."

First identified by Source Incite and patched by VMware in October 2022, the vulnerabilities target VMware NSX Manager, used for network virtualization and security. 

Raising the stakes for the vulnerabilities are the typical customers of VMware’s NSX systems. “Companies that use VMware NSX Manager typically require a high level of security for their network infrastructure. This includes businesses in the financial sector, healthcare, retail [and] ecommerce, and government agencies,” Wallarm said. 

Bug specifics

“By far the more severe of these is CVE-2021-39144, an unauthenticated remote code execution vulnerability with a CVSSv3 score of 9.8,” wrote Rapid7 in an October analysis of the two vulnerabilities. 

“The vulnerability arises from a deserialization flaw in an open-source library called XStream, which is used to serialize objects to XML and back again,” Rapid7 reported. “An unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V) provides a vector for attackers to obtain remote code execution in the context of 'root' on the appliance.” 

The second bug, CVE-2022-31678, with a CVSS score of 9.1, when combined with the CVE-2021-39144 allows a pre-authenticated attacker to expose software to XXE (XML External Entity Injection) and lead to "high impact attacks," Wallarm noted. 

Scope of active attacks and attribution 

While Wallarm claims scanning attempts for the bugs peaked in late December as the team blocked an average of between 1,750 and 4,600 attacks per day, there are still about 500 current hacking attempts highlighting the ongoing nature of the threat. 

Nikita Vdovushkin, threat intelligence lead at Wallarm, urges organizations to patch their systems. But for those who cannot do so, he suggests they follow defense-in-depth principles, including implementing network segmentation, deploying firewalls and intrusion detection and prevention systems, and using Web Application and API Protection to defend against the attacks.

“It's hard to attribute these attacks to any specific group or individual. It's possible that small hacker groups are looking for initial access, which they can then sell to other actors who specialize in different types of attacks such as installation of miners or advanced persistent threat (APT) attacks,” Vdovushkin told SC Media in an email.