Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. These vulnerabilities have CVSS scores ranging from 4.3 to 9.8. Out of these vulnerabilities, the most critical was CVE-2021-22005 – an arbitrary file upload vulnerability in the Analytics service, which impacts vCenter Server 6.7 and 7.0 deployments. Exploiting this vulnerability, a remote attacker could take control of an affected system.
“A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file” VMWare noted, while further adding that “this vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”
The complete list of flaws patched by the virtualization services provider in descending CVSS score is as follows:
Sr. No. | CVE-ID | Vulnerability Name | CVSS |
1. | CVE-2021-22005 | vCenter Server file upload vulnerability | 9.8 |
2. | CVE-2021-21991 | vCenter Server local privilege escalation vulnerability | 8.8 |
3. | CVE-2021-22006 | vCenter Server reverse proxy bypass vulnerability | 8.3 |
4. | CVE-2021-22011 | vCenter server unauthenticated API endpoint vulnerability | 8.1 |
5. | CVE-2021-22015 | vCenter Server improper permission local privilege escalation vulnerabilities | 7.8 |
6. | CVE-2021-22012 | vCenter Server unauthenticated API information disclosure vulnerability | 7.5 |
7. | CVE-2021-22013 | vCenter Server file path traversal vulnerability | 7.5 |
8. | CVE-2021-22016 | vCenter Server reflected XSS vulnerability | 7.5 |
9. | CVE-2021-22017 | vCenter Server rhttpproxy bypass vulnerability | 7.3 |
10. | CVE-2021-22014 | vCenter Server authenticated code execution vulnerability | 7.2 |
11. | CVE-2021-22018 | vCenter Server file deletion vulnerability | 6.5 |
12. | CVE-2021-21992 | vCenter Server XML parsing denial-of-service vulnerability | 6.5 |
13. | CVE-2021-22007 | vCenter Server local information disclosure vulnerability | 5.5 |
14. | CVE-2021-22019 | vCenter Server denial of service vulnerability | 5.3 |
15. | CVE-2021-22009 | vCenter Server VAPI multiple denial of service vulnerabilities | 5.3 |
16. | CVE-2021-22010 | vCenter Server VPXD denial of service vulnerability | 5.3 |
17. | CVE-2021-22008 | vCenter Server information disclosure vulnerability | 5.3 |
18. | CVE-2021-22020 | vCenter Server Analytics service denial-of-service vulnerability | 5.0 |
19. | CVE-2021-21993 | vCenter Server SSRF vulnerability | 4.3 |
Affected products
- vCenter Server versions 6.7 and 7.0
- Cloud Foundation (vCenter Server) 3.x, 4.x
Workarounds
To remediate all the CVEs mentioned in this blog, you must apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ on the VMware advisory page. For additional documentation do check vmsa-2021-0020-faq.
Qualys Detection
Qualys customers can scan their devices with QIDs 216265, 216266, 216267 and 216268 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://www.vmware.com/security/advisories/VMSA-2021-0020.html
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u2d-release-notes.html
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3o-release-notes.html
https://core.vmware.com/vmsa-2021-0020-questions-answers-faq