VMware: vCenter Server Remote Code Execution
VMware: vSphere Client Authentication Vulnerability
On Tuesday, May 25th, 2021, VMware released a number of patches in light of multiple vulnerabilities in the vSphere Client (HTML5), which were privately reported to VMware.
One of these vulnerabilities (CVE-2021-21985) presents the opportunity for unauthenticated Remote Code Execution (RCE) in the vCenter server via network access through port 443. This allows the execution of commands with unrestricted privileges on the OS hosting the vCenter server. This is a critical severity issue with a CVSSv3 base score of 9.8.
At the time of writing, there have been no reported instances of these CVE’s being exploited in live production environments. We have no indication at this time of the exploit code being widely available. It is important to note, however, as with a previous critical CVE that was released earlier in the year (CVE-2021-21972), researchers observed mass scanning within a day of its publication (suggesting some attacker groups may have the capability to exploit).
These vulnerabilities have the potential to seriously impact targeted systems. All customers are strongly encouraged to investigate their usage and patch level of vCentre as an urgent priority. Whilst no public exploit code or production compromises have been observed, it is important to patch before the vulnerabilities start to be actively exploited.
- Versions 6.5, 6.7, and 7.0
Cloud Foundation (vCenter Server)
- Versions 3.x, and 4.x
vCenter Server Remote code execution (CVE-2021-21985) – CVSSv3 base score of 9.8
The vSphere Client (HTML5) contains a remote code execution vulnerability resulting from a lack of input validation in the Virtual SAN Health Check plug-in. This is enabled by default in vCenter Server even where vSAN is not being used.
To successfully perform this attack, a remote unauthenticated attacker can send a specially crafted HTTP request to the vSphere Client available at port 443/tcp. This can then trigger arbitrary execution of commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Where an organization has not exposed vCenter Server externally, this vulnerability can still be exploited by attackers once inside a network for lateral movement & privilege escalation. VMware specifically calls out ransomware groups as being adept at leveraging such flaws post-compromise.
vSphere Client Authentication Vulnerability (CVE-2021-21986) – CVSSv3 base score of 6.5
The vulnerability exists as a result of an error when processing authentication requests to the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A remote unauthenticated attacker can bypass the authentication process and gain unauthorized access to the application.
It is crucial that if VMWare vSphere client or vCenter server is used in your environment that you update to the latest secure version at the earliest possible opportunity.
Cygliant SOC is currently working in collaboration with our SIEM vendors to ensure
all avenues of detection are covered in order to develop alert content for detection purposes. It would also be prudent to consider bringing forward any scheduled scans to identify if unpatched vCentre applications are present within an environment.
The affected product versions, and proposed ‘fixed’ version are in the table below:
|Product Version||Fixed Version|
|vCenter Server 7.0||7.0 U2b|
|vCenter Server 6.7||6.7 U3n|
|vCenter Server 6.5||6.5 U3p|
|Cloud Foundation (vCenter Server) 4.x||4.2.1|
|Cloud Foundation (vCenter Server) 3.x||184.108.40.206|
Where patching is not possible, VMware has published a workaround page with guidance on how to disable the vSAN plugin, along with several others. This should be seen as a temporary measure until patches can be applied. For more detailed guidance, please refer to VMware’s blog post in the ‘More Information’ section below.
- Actions taken based on the recommendations in this advisory are at your own discretion.
- The IOC-List (if provided) and other information is time-sensitive in nature and may be overridden in subsequent updates as new information is obtained