VMware vCenter Server Vulnerabilities
Details of multiple critical vulnerabilities in VMware VCenter Servers, vSphere and ESXi products have been released by VMware. These could be exploited on vulnerable systems to remotely execute arbitrary code or cause sensitive information disclosure.
Summary
Details of multiple critical vulnerabilities in VMware VCenter Servers, vSphere and ESXi products have been released by VMware. These could be exploited on vulnerable systems to remotely execute arbitrary code or cause sensitive information disclosure.
Affected platforms
The following platforms are known to be affected:
The following platforms are also known to be affected:
VMware VCenter Server Versions: all v7 prior to 7.0 U1c, all v6.7 prior to 6.7 U3l, and all v6.5 prior to 6.5 U3n
Cloud Foundation Versions: all v4 prior to 4.2 and all v3 prior to 3.10.1.2
Threat details
Introduction
VMware has addressed a critical remote code execution (RCE) vulnerability in the vCenter Server virtual infrastructure management platform that may allow an attacker to take control of affected systems.
Additionally, VMware has addressed vulnerabilities in their ESXi and vSphere products, which could allow an attacker to disclose sensitive information, or execute arbitrary remote code in the worst-case scenario.
vCenter Server Critical RCE Vulnerability - CVE-2021-21972
The vulnerability allows a remote attacker to execute arbitrary code on the target system, and exists due to insufficient validation of user-supplied input in vSphere Client. A remote unauthenticated user can send a specially crafted HTTP request to TCP port 443 and execute arbitrary code on the system.
PoC Identified for CVE-2021-21972
Proof-of-concept (PoC) exploit code for the vCenter Server Critical RCE Vulnerability outlined in CVE-2021-21972 has been observed online. Because of this, it is likely that the PoC will be weaponised by a malicious user imminently.
vSphere Client SSRF Vulnerability - CVE-2021-21973
The vSphere Client contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. An attacker with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.
ESXi OpenSLP Heap-Overflow Vulnerability - CVE-2021-21974
OpenSLP in ESXi contains a heap-overflow vulnerability. An attacker residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in the OpenSLP service resulting in remote code execution.
Remediation advice
Organisations are strongly encouraged to assess their network infrastructure to identify vulnerable systems, review VMware's VMSA-2021-0002 Advisory, and apply the necessary updates to systems.
VMware has also provided a workaround for organisations who cannot immediately update to a version that patches CVE-2021-21972. Guidance on implementing the workaround on Linux-based virtual appliances (vCSA) can be found in VMware's KB82374 support document.
As a PoC has also been released, Positive Technologies published a technical report on the vulnerability. Network administrators may find this report insightful for further details of the vulnerability and how the exploit works.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 26 February 2021 12:52 pm