VMware vCenter Affected By Critical Vulnerabilities

Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. These vulnerabilities have CVSS scores ranging from 4.3 to 9.8. Out of these vulnerabilities, the most critical was  CVE-2021-22005 – an arbitrary file upload vulnerability in the Analytics service, which impacts vCenter Server 6.7 and 7.0 deployments. Exploiting this vulnerability,  a remote attacker could take control of an affected system.

“A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file”  VMWare noted, while further adding that “this vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”

The complete list of flaws patched by the virtualization services provider in descending CVSS score is as follows:

Sr. No. CVE-ID Vulnerability Name CVSS
1. CVE-2021-22005 vCenter Server file upload vulnerability 9.8
2. CVE-2021-21991 vCenter Server local privilege escalation vulnerability 8.8
3. CVE-2021-22006 vCenter Server reverse proxy bypass vulnerability 8.3
4. CVE-2021-22011 vCenter server unauthenticated API endpoint vulnerability 8.1
5. CVE-2021-22015 vCenter Server improper permission local privilege escalation vulnerabilities 7.8
6. CVE-2021-22012 vCenter Server unauthenticated API information disclosure vulnerability 7.5
7. CVE-2021-22013 vCenter Server file path traversal vulnerability 7.5
8. CVE-2021-22016 vCenter Server reflected XSS vulnerability 7.5
9. CVE-2021-22017 vCenter Server rhttpproxy bypass vulnerability 7.3
10. CVE-2021-22014 vCenter Server authenticated code execution vulnerability 7.2
11. CVE-2021-22018 vCenter Server file deletion vulnerability 6.5
12. CVE-2021-21992 vCenter Server XML parsing denial-of-service vulnerability 6.5
13. CVE-2021-22007 vCenter Server local information disclosure vulnerability 5.5
14. CVE-2021-22019 vCenter Server denial of service vulnerability 5.3
15. CVE-2021-22009 vCenter Server VAPI multiple denial of service vulnerabilities 5.3
16. CVE-2021-22010 vCenter Server VPXD denial of service vulnerability 5.3
17. CVE-2021-22008 vCenter Server information disclosure vulnerability 5.3
18. CVE-2021-22020 vCenter Server Analytics service denial-of-service vulnerability 5.0
19. CVE-2021-21993 vCenter Server SSRF vulnerability 4.3

Affected products

  • vCenter Server versions 6.7 and 7.0
  • Cloud Foundation (vCenter Server) 3.x, 4.x

Workarounds

To remediate all the CVEs mentioned in this blog, you must apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ on the VMware advisory page. For additional documentation do check vmsa-2021-0020-faq.

Qualys Detection

Qualys customers can scan their devices with QIDs 216265, 216266, 216267 and 216268 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.

References

https://www.vmware.com/security/advisories/VMSA-2021-0020.html

https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-bug-in-default-vcenter-server-installs/

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u2d-release-notes.html

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3o-release-notes.html

https://core.vmware.com/vmsa-2021-0020-questions-answers-faq

Leave a Reply

Your email address will not be published.