[German]VMware has issued an urgent security warning to users of vSphere. The vSphere Client (HTML5) contains a critical vulnerability CVE-2021-21985 that could allow remote code execution due to a lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. A second vulnerability affected VMware Cloud Foundation. Security updates for the affected components are available.
Advertising
In Advisory VMSA-2021-0010, dated May 25, 2021, VMware points out two vulnerabilities CVE-2021-21985 and CVE-2021-21986 in:
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
which are considered critical. The following tweet addresses vulnerability CVE-2021-21985. According to VMware, multiple vulnerabilities in the vSphere Client (HTML5) have been privately reported to the vendor. An article on the topic can also be found atheimdahl.
CVE-2021-2198 in vSphere Client
The vSphere Client (HTML5) contains a remote code execution vulnerability due to a lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. A malicious actor with network access to port 443 can exploit this issue to execute commands with unrestricted privileges on the underlying operating system hosting vCenter Server.
VMware has rated the severity of this issue as critical, with a maximum CVSSv3 baseline of 9.8. vCenter Server 6.5, 6.7, 7.0 are affected. In this document, VMware describes how to disable plugins to prevent exploitation of this vulnerability. Deployed VMware vCenter Server updates address the remote code execution vulnerability in the vSphere Client (CVE-2021-21985). Details can be found in the Security Advisory.
Advertising
Vulnerability CVE-2021-21986 in vCenter Server Plug-ins
The vSphere Client (HTML5) also contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server can perform actions allowed by the affected plug-ins without authentication. VMware has rated the severity of this issue as moderate with a maximum CVSSv3 baseline of 6.5. Again, updates are available to close this vulnerability. Details can be found in the Security Advisory.
Security researcher Kevin Beaumont points out in the above tweet that you can very quickly check via the search engine Shodan with the term "VMware vCenter Server" whether servers are accessible via the Internet. In Germany, only 2 instances are currently reported to me. Beaumont points out in this tweet that Managed Solution Providers (MSP) often configure the VMs as reachable via the Internet.
