VMware vCenter Vulnerabilities

We have just become aware of two recent vulnerabilities associated with VMware vCenter; these vulnerabilities could allow a threat actor with network access to port 443 to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Priority:

These exploits (CVE-2021-21985, CVE-2021-219856) should be considered extremely critical in terms of establishing a remediation plan since this can allow a threat actor to gain access unrestricted access.  It is recommended that if you have an affected version that you remediate within 12-24 hours via an emergency change.

Affected Versions:

The following are all the versions that are affected with this recent zero day:

• vCenter Server 7.0
• vCenter Server 6.7
• vCenter Server 6.5
• Cloud Foundation (vCenter Server) 4.x
• Cloud Foundation (vCenter Server) 3.x

The Vulnerability:

The exploit details are as follows:

• CVE-2021-21985 – The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
• CVE-2021-21986 – The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

The Remediation:

Patch the appliance to the most current release of the software (See Remediation Matrix Below)

Reference:

https://www.vmware.com/security/advisories/VMSA-2021-0010.html