Several months after the security patches were released, thousands of internet-facing VMware vCenter servers still have critical vulnerabilities that can be exploited.
The patches for two critical bugs, CVE-2021-21985 and CVE-2021-21986, have been available from VMWare since May 25. However, VMWare users have to manually apply them to update servers.
The first flaw CVE-2021-21985 is found in the vSAN plugin used in VMware vCenter Server and VMware Cloud Foundation. It was discovered and fixed on March 21, 2019. It allows remote code execution through the use of port 443. The bug can be exploited to allow unauthorized access to “the underlying operating system that hosts vCenter Server” with “unrestricted privileges.”
The bug impacts vCenter Server 6.5, 6.7, and v.7.0, alongside Cloud Foundation vCenter Server 3.x and 4.x.
The second vulnerability CVE-2021-21986 (score of 6.5) is present in the vSphere Client (HTML5) and the authentication mechanism for various plugins: Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability. This flaw allows an attacker to “perform actions allowed by the impacted plug-ins without authentication.”
It appears that thousands of internet servers are still vulnerable to CVE-2021-21986 and CVE-2021-21985.
According to Trustwave SpiderLabs researchers, there are over 5,000 instances of VMWare vCenter servers online that are running versions 6.5 and above with port 443 the most commonly employed. Further, the Shodan search engine yielded a total of 4019 unpatched server instances, which is almost 90% of all the available instances.