A patch has been released to fix a critical severity vulnerability in VMware’s virtualization management platform, vCenter Server. The vulnerability could be remotely exploited by an attacker to execute arbitrary code on a vulnerable host and gain full control of the system. The vulnerability has been given a CVSS severity rating of 9.8 out of 10.
The flaw, tracked as CVE-2021-21985, affects the vCenter Server platforms that are used to administer VMware’s VSphere and ESXi host solutions. The flaw is due to a lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. The flaw could be exploited by anyone even if the vSAN plugin is not used.
The flaw affects vCenter Server versions 6.5, 6.7, and 7.0 and Cloud Foundation (VCenter Server) versions 3.x and 4.x.
Exploiting the flaw is trivial. To exploit the flaw, an attacker would need to access vCenter Sever over port 443. It would not be necessary for the vCenter Server to be exposed to the Internet, as the flaw could be exploited by an attacker who already has network access. An analysis by Rapid 7 researchers suggests approximately 6,000 VCenter Servers are exposed to the Internet.
“In this era of ransomware, it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,” said VMware technical marketing architect Bob Plankers.
In the same update, VMware has also fixed a moderate severity authentication vulnerability in vCenter Server. The flaw, tracked as CVE-2021-21986, is due to a bug in the vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins and could be exploited by an attacker with network access to port 443 on vCenter Server.
The bug affects vCenter Server versions 6.5, 6.7, and 7.0 and Cloud Foundation (VCenter Server) versions 3.x and 4.x and has been assigned a CVSS severity score of 6.5 out of 10.
Both flaws have been corrected in the following versions
- vCenter Server 7.0 U2b
- vCenter Server 6.7 U3n
- vCenter Server 6.5 U3p
- VMware vCloud Foundation 4.2.1
- VMware vCloud Foundation 3.10.2.1
Prompt patching is highly recommended as the RCE vulnerability would be attractive to ransomware gangs. “All environments are different, have different tolerance for risk, and have different security controls & defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act,” said Plankers.
If it is not possible to apply the patch promptly, VMware has suggested workarounds that could prevent the flaw from being exploited, such as disabling the vSAN plugin; however, this is far from ideal, as it will stop all monitoring, management, and alarms.