by Jared Hamilton
Manager of Technical Operations
VMware announced on May 25th, 2021 (Advisory ID: VMSA-2021-0010) two new vulnerabilities that target vCenter Server versions 6.5, 6.7 and 7.0 as well as Cloud Foundation (vCenter Server) versions 3.x and 4.x. Both vulnerabilities have a severity rating of 9.8 out of 10 and are marked as critical.
CVE-2021-21985: Outlines a remote code execution vulnerability in vCenter Server’s vSphere Client. The vSphere HTML5 contains a remote code execution vulnerability due to lack of input validation in the Virtual San Health Check plug-in which is enabled by default in vCenter server. vSphere HTML5 client. This vulnerability (if left unmitigated) allows a malicious actor with network access to port 443 the ability to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
It is important to note, independent online resources have reported that internet-connected vCenter servers that have not been remediated have been successfully compromised by a malicious attacker. One researcher reported they configured an unpatched internet-facing vCenter server for testing purposes saw scanning by remote systems in less than 35 minutes.
https://bit.ly/3x4s6y1
VMware highly recommends deploying the following updates or workarounds to address this highly critical vulnerability.
vCenter Server
Version 7.0
Apply Update U2b
Workaround (if patch update is not an option): Set the Virtual SAN Health Check Plugin to incompatible.
vCenter Server
Version 6.7
Apply Update U3n
Workaround (if patch update is not an option): Set the Virtual SAN Health Check Plugin to incompatible.
vCenter Server
Version 6.5
Apply Update U3p
Workaround (if patch update is not an option): Set the Virtual SAN Health Check Plugin to incompatible.
Cloud Foundation Server
Version 4.x
Apply Update 4.2.1
Workaround (if patch update is not an option): Set the Virtual SAN Health Check Plugin to incompatible.
Cloud Foundation Server
Version 3.x
Apply Update 3.10.2.1
Workaround (if patch update is not an option): Set the Virtual SAN Health Check Plugin to incompatible.
CVE-2021-21986: Outlines a vulnerability in vCenter Server’s vSphere Client (HTML5) authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMWare Cloud Director Availability plug-ins. This vulnerability allows a malicious actor with network access to port 443 on the vCenter server to perform actions allowed by the impacted plug-ins outlined.
VMware highly recommends deploying the following updates or workarounds to address this highly critical vulnerability.
vCenter Server
Version 7.0
Apply Update U2b
Workaround (if patch update is not an option): Set plugins outlined to incompatible.
vCenter Server
Version 6.7
Apply Update U3n
Workaround (if patch update is not an option): Set plugins outlined to incompatible.
vCenter Server
Version 6.5
Apply Update U3p
Workaround (if patch update is not an option): Set plugins outlined to incompatible.
Cloud Foundation Server
Version 4.x
Apply Update 4.2.1
Workaround (if patch update is not an option): Set plugins outlined to incompatible.
Cloud Foundation Server
Version 3.x
Apply Update 3.10.2.1
Workaround (if patch update is not an option): Set plugins outlined to incompatible.
Due to the severity of the outlined vulnerabilities, Helient Systems recommends patching and or implementing the recommended VMWare product workarounds at the earliest opportunity.
Helient Systems will be contacting our Managed Services customers to plan and schedule remediation against these vulnerabilities.
If you would like assistance planning and remediating these vulnerabilities in your environment, please contact our experts at service@helient.com.