This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
erondicarvalho
Explorer
‎2021-02-25 05:50 AM
Jump to solution

Does Check Point has CVE-2021-21972 IPS protection?

 

Hello 

I have updated IPS on management but I cannot find CVE-2021-21972 signature.

Does Check Point has CVE-2021-21972 IPS protection?

Does Check Point has plan to release this signature?

 

Thank you.

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2021-02-25 06:03 AM
Jump to solution

The vulnerability was announced yesterday. Until there is a proof of concept, or a working exploit, IPS signature cannot be produced. VMware has posted a workaround here, that you can apply meanwhile

View solution in original post

Avi_Bechor
Employee
Employee
‎2021-02-28 11:35 PM
Jump to solution

Hi,

An IPS protection was released for this vulnerability.
Protection name: "VMware vSphere Client Remote Code Execution (CVE-2021-21972)"

Thanks,
Avi

View solution in original post

5 Replies
_Val_
Admin
Admin
‎2021-02-25 06:03 AM
Jump to solution

The vulnerability was announced yesterday. Until there is a proof of concept, or a working exploit, IPS signature cannot be produced. VMware has posted a workaround here, that you can apply meanwhile

Sigbjorn
Advisor
Advisor
‎2021-02-28 10:40 PM
In response to _Val_
Jump to solution

This exploit is in the wild now.

Proof of Concept available on github; https://github.com/horizon3ai/CVE-2021-21972

Any updates on IPS signatures?

 

 

0 Kudos
Avi_Bechor
Employee
Employee
‎2021-02-28 11:35 PM
Jump to solution

Hi,

An IPS protection was released for this vulnerability.
Protection name: "VMware vSphere Client Remote Code Execution (CVE-2021-21972)"

Thanks,
Avi

Sigbjorn
Advisor
Advisor
‎2021-03-01 01:02 AM
In response to Avi_Bechor
Jump to solution

I don't seem to have any luck triggering this protection.

Testing at home:

Check Point 3100 - R80.40 JHA91
[Expert@cp-fw01:0]# ips stat
IPS Status: Enabled
Active Profiles:
Custom Optimized
IPS Update Version: 635211403
Global Detect: Off
Bypass Under Load: Off

Second test:

VSX R80.30 JHA 227 (Open server)

[Expert@<vsxhostname>:<vsid>]# ips stat
IPS Status: Enabled
IPS Update Version: 635211403
Global Detect: Off
Bypass Under Load: Off

 

In the test, I'm just running the PoC Code from Github.

x@y:~/CVE-2021-21972$ python3 poc.py -t 10.99.9.9 -f testfile.txt -p /home/vsphere-ui/testfile.txt -o unix
[+] 10.99.9.9 vulnerable to CVE-2021-21972!
[+] Adding testfile.txt as ../../../../../home/vsphere-ui/testfile.txt to archive
[+] Wrote testfile.txt to exploit.tar on local filesystem
[+] File uploaded successfully

 

root@photon-machine [ ~ ]# cd /home/vsphere-ui/
root@photon-machine [ /home/vsphere-ui ]# ls
testfile.txt
root@photon-machine [ /home/vsphere-ui ]# cat testfile.txt
test
root@photon-machine [ /home/vsphere-ui ]#

 

 

0 Kudos
Avi_Bechor
Employee
Employee
‎2021-03-01 03:21 AM
In response to Sigbjorn
Jump to solution

Hi,

The PoC you shared is blocked based on our internal testing, I am taking this with you offline to ensure that you configured the testing correctly

Avi

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events