Relevant CVE: CVE-2021-21985
On the 25th May VMWare announced new vulnerabilities and fixes for VMWare vCenter Server, including critical CVEs. These vulnerabilities affect all VMWare vCenter Server customers, and VMWare is strongly recommending VMWare vCenter Server systems be updated to fixed versions as soon as possible.
The Threat
The following critical vulnerabilities in VMWare vCenter Server were disclosed.
CVE-2021-21985 (VMSA-2021-0010)
CVE-2021-21985 consists of a remote code execution vulnerability in vSphere client (HTML5) due to an absence of input validation in the VSAN Health Check plug in, as this is enabled by default an attacker with network access to port 443 may be able to execute malicious code with elevated privileges on the host OS which the vCenter server sits on.
If affected systems are public facing, firewall logs should be audited for compromise, as per VMWare recommendations customers should take “steps to implement more perimeter security controls (firewalls, ACLs, etc.) on the management interfaces of their infrastructure."
In their disclosure VMWare specifically highlights the ability of ransomware gangs to utilize this type of vulnerability post exploitation.
CVSS score: 9.8 (Critical)
The Impact
Integrity360 has not yet observed any real cases of the vulnerabilities being exploited in the wild as of the time this advisory was written. Integrity360 will continue to monitor our customer’s estates and the wild with extra care and due diligence for threat actors looking to capitalise on these critical vulnerabilities.
Recommendations
VMWare customers should update their VMWare vCenter Server systems to the latest, most secure, and best-performing versions. There are resources available about the vulnerabilities and how to update or upgrade the affected VMWare vCenter Server systems on the following link VMSA-2021-0010.
Affected Systems
Product: vCenter Server + 6.5, 6.7, 7.0
More information