Security Brief: VMware vCenter

VMware vCenter Vulnerabilities

We have just become aware of two recent vulnerabilities associated with VMware vCenter; these vulnerabilities could allow a threat actor with network access to port 443 to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Priority:

These exploits (CVE-2021-21985, CVE-2021-219856) should be considered extremely critical in terms of establishing a remediation plan since this can allow a threat actor to gain access unrestricted access.  It is recommended that if you have an affected version that you remediate within 12-24 hours via an emergency change.

Affected Versions:

The following are all the versions that are affected with this recent zero day:

  • vCenter Server 7.0
  • vCenter Server 6.7
  • vCenter Server 6.5
  • Cloud Foundation (vCenter Server) 4.x
  • Cloud Foundation (vCenter Server) 3.x

The Vulnerability:

The exploit details are as follows:

  • CVE-2021-21985 – The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
  • CVE-2021-21986 – The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

The Remediation:

Patch the appliance to the most current release of the software (See Remediation Matrix Below)

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server
7.0
Any
CVE-2021-21985
Critical
vCenter Server
6.7
Any
CVE-2021-21985
Critical
vCenter Server
6.5
Any
CVE-2021-21985
Critical
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2021-21985
Critical
Cloud Foundation (vCenter Server)
3.x
Any
CVE-2021-21985
Critical
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server
7.0
Any
CVE-2021-21986
Moderate
vCenter Server
6.7
Any
CVE-2021-21986
Moderate
vCenter Server
6.5
Any
CVE-2021-21986
Moderate
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2021-21986
Moderate
Cloud Foundation (vCenter Server)
3.x
Any
CVE-2021-21986
Moderate

Reference:

https://www.vmware.com/security/advisories/VMSA-2021-0010.html