This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect activities related to the VMware vCenter Remote Code Execution vulnerability. See CVE-2021-21985 and CVE-2021-21986 for reference.For more information on the threat, also see the FortiGuard Lab Threat Signal Report:What is included in Fortinet_SOC-VMware-vCenter-Detection.zip?1) outbreak_alerts_service_VMware.vCenter_detection.jsonThis event handler helps identify indicators detected by FortiGate's and FortiClient's IPS and Endpoint Vulnerability signatures. Logs triggering the event handler are generated from FortiGate and FortiClient. Therefore, their corresponding IPS and Endpoint Vulnerability signatures should be kept up to date to prevent and log the exploits.FortiGate: Ensure IPS Signature package is at least 18.112 or higher in order to cover VMware.vCenter.CVE-2021-21985.Remote.Code.ExecutionFortiClient: Ensure Endpoint Vulnerability Protection is at least 1.246 or higher to cover VMware vCenter Server updates address remote code execution and authentication vulnerabilities (CVE-...2) outbreak_alerts_service_VMware.vCenter_report.datA report to summarize findings on activities related to the VMware vCenter Remote Code Execution vulnerability, as detected by the IPS Engine and Ednpoint Vulnerability on FortiGate and FortiClient devices.See the Solution section for instruction on how to load the event handler into a FortiAnalyzer unit.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.