VMware vCenter Server Multiple Vulnerabilities (CVE-2021-21986, CVE-2021-21985)

On 25th May 2021, VMware released a security advisory to address two vulnerabilities (CVE-2021-21986, CVE-2021-21985) for vCenter Server. Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on the vulnerable system.

VMware has assigned critical severity for CVE-2021-21985 with a maximum CVSSv3 base score of 9.8. The severity of CVE-2021-21986 has been evaluated as “moderate” with a maximum CVSSv3 base score of 6.5.

VMware urges customers to immediately patch these critical vulnerabilities.

Vulnerability Details

CVE-2021-21985:

This RCE vulnerability occurred due to improper input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server.  An attacker having network access to port 443 could exploit this bug to execute arbitrary commands on the vulnerable system.

Affected Product Versions, Patched Versions and Workarounds:

Product Version Running On CVSSv3 Severity Fixed Versions Workaround
vCenter Server 7.0 Any 9.8 Critical 7.0 U2b KB83829
vCenter Server 6.7 Any 9.8 Critical 6.7 U3n KB83829
vCenter Server 6.5 Any 9.8 Critical 6.5 U3p KB83829
Cloud Foundation (vCenter Server) 4.x Any 9.8 Critical 4.2.1 KB83829
Cloud Foundation (vCenter Server) 3.x Any 9.8 Critical 3.10.2.1 KB83829

CVE-2021-21986:

This vulnerability was found in the vSphere authentication mechanism of vCenter Server plug-ins (Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability). An attacker having network access to port 443 could exploit this bug to perform actions allowed by the impacted plug-ins without authentication.

Affected Product Versions, Patched Versions and Workarounds:

Product Version Running On CVSSv3 Severity Fixed Version Workaround
vCenter Server 7.0 Any 6.5 Moderate 7.0 U2b KB83829
vCenter Server 6.7 Any 6.5 Moderate 6.7 U3n KB83829
vCenter Server 6.5 Any 6.5 Moderate 6.5 U3p KB83829

On Shodan, we observed more than 5000 publicly available devices on the internet that may be vulnerable.

Image Source: Shodan

Detection

Qualys customers can scan their network with QIDs 216259, 216260, 216261 to detect vulnerable assets.

Kindly continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.

Workaround

Affected plugins must be set to “incompatible.” Disabling a plugin from within the UI does not prevent exploitation.

To check how to disable affected plugin refer workaround provided by VMware.

Workaround Detection

Qualys Policy Compliance customers can evaluate workaround on vCenter Linux-based virtual appliances by following controls:

21522 Status of the VMware Cloud Director Availability Plugin
21521 Status of the VMware vSphere Life-cycle Manager
21520 Status of the VMware Site Recovery Plugin
21519 Status of the VMware vSAN H5 Client Plugin
21464 Status of the VMware vRops Client Plugin

Note:

Customer should create Unix authentication record with target type “VMWare vCenter Server (Policy Compliance)”

References

Leave a Reply

Your email address will not be published. Required fields are marked *