A vulnerability in vCenter allows an attacker to target port 443 and potentially execute arbitrary code on the host operating system.
VMware has warned its vCenter customers to update vCenter Server versions 6.5, 6.7, and 7.0 immediately. The reason being a pair of bugs that had been reported privately to the company.
The CVE-2021-21985 (9.8 score) is a remote code execution vulnerability in a vSAN plugin in vCenter that an attacker could abuse if they can access port 443. To make things worse, users may not even know about the plugin since vSAN is enabled by default.
“The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server,” VMware described the issue in an advisory.
In its FAQ, VMware warned that firewall controls are the main defense for users against this vulnerability:
“Organisations who have placed their vCenter Servers on networks that are directly accessible from the internet may not have that line of defense and should audit their systems for compromise,” the company advised. “They should also take steps to implement more perimeter security controls (firewalls, ACLs, etc.) on the management interfaces of their infrastructure.”
VMware urges to update vCenter, or if not possible, to disable vCenter Server plugins. The company has provided instructions.
“While vSAN will continue operating, manageability and monitoring are not possible while the plugin is disabled. A customer who is using vSAN should only consider disabling the plugin for short periods of time, if at all,” VMware warned.
VMware also gave general recommendations about ransomware in a blog post:
“In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.”
The company, however, warned perimeter controls may not be enough and suggested implementing better network separation.
“Ransomware gangs have repeatedly demonstrated to the world that they are able to compromise corporate networks while remaining extremely patient, waiting for a new vulnerability in order to attack from inside a network,” it said. “Organizations may want to consider additional security controls and isolation between their IT infrastructure and other corporate networks as part of an effort to implement modern zero-trust security strategies.”
The second vulnerability, CVE-2021-21986 (scored as 6.5), could allow an attacker to control plugin functions without authentication.
“The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins,” VMware said.