VMware Urges Rapid Patching for Serious vCenter Server BugAttackers Could Exploit 'Critical' Flaw to Remotely Execute Arbitrary Code
VMware is warning all vCenter Server administrators to patch their software to fix a serious vulnerability that could be used to execute arbitrary code as well as a separate authentication flaw.
The vulnerabilities are present in vCenter Server 6.5, 6.7 and 7.0, as well as VMware Cloud Foundation, VMware warns.
Administrators use vCenter Server to manage installations of vSphere, which is VMware's virtualization platform.
The vulnerabilities need "your immediate attention if you are using vCenter Server," VMware's Bob Plankers says in a blog post.
"All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so the decision on how to proceed is up to you," he writes. "However, given the severity, we strongly recommend that you act."
The most serious issue, designated CVE-2021-21985, is within what's called "vSphere Client (HTML5)." It's a remote execution flaw that has a CVSSv3 base score of 9.8 out of 10, according to VMware's advisory. Scores of that magnitude mean the flaw, if successfully exploited, could be used by remote attackers to execute arbitrary code.
The flaw is caused by a lack of input validation within the Virtual SAN Health Check plug-in that's enabled by default, VMware says, thanking the researcher known as "Ricter Z" at Chinese firm 360 Noah Lab for notifying it of the vulnerability.
"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server," the advisory says.
Users are vulnerable even if they don't use the vSAN plug-in.
VMware's Plankers says the best fix is to install the patch, which eliminates the flaw. But the company has also described mitigations that an organization can use if it can't patch right away. One of those involves restricting access to vCenter Server management interfaces using network perimeter access controls.
Plankers stresses that organizations should move quickly to get the patch in place, and he recommends they assume they have already been breached.
"In this era of ransomware, it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible," he writes.
Kevin Beaumont (GossiTheDog), who heads the security operations center at U.K. fashion retailer Arcadia, likewise recommends organizations "keep calm" but nevertheless patch quickly, before code for exploiting the flaw becomes public.
The IoT search engine Shodan.io counts at least 5,500 internet-connected instances of VMware vCenter. Beaumont says many do not appear to be patched.
Separate Flaw in vSphere Client
VMware on Tuesday also issued an alert about a second flaw, designated CVE-2021-21986, which is also in the vSphere Client. This vulnerability exists in the authentication mechanism in several plug-ins, including Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMware Cloud Director Availability.
Attackers able to exploit the flaw via port 443 could issue commands to the plug-in without having to authenticate, says VMware, which rates the bug a 6.5 on the CVSSv3 scale.
Plankers writes that VMware has been making improvements to the vCenter Server plug-in framework to fix the problem, but warns that the changes may cause some plug-ins to break. VMware has notified its partners of the changes, and Plankers says most plug-ins appear to be continuing to work correctly.
But he warns that "there may be a period after updating when a virtualization admin team may need to access backup, storage or other systems through their respective management interfaces and not through the vSphere Client UI. If a third-party plug-in in your environment is affected, please contact the vendor that supplied it for an update."
Proof-of-Concept Exploit: VMware ESXi Flaw
Separately, security researcher Johnny Yu (@straight_blast) reported Tuesday that he's developed a proof-of-concept exploit for a heap-overflow vulnerability in VMware ESXi OpenSLP, designated CVE-2021-21974.
VMware's ESXi is a hypervisor, meaning it's designed to run virtual machines. VMware first issued a warning and patch for the flaw in February, saying it was discovered and reported by Mikhail Klyuchnikov of Moscow-based security firm Positive Technologies. The vulnerability has been designated as "critical," meaning it could be used by attackers to remotely execute any code they wanted on a vulnerable system and take full control of it.
"A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution," the National Vulnerability Database says of the flaw.
Here is my RCE exploit code and writeup for (CVE-2021-21974) VMware ESXi OpenSLP heap-overflow discovered by @_wmliang_. Thank you again for your write-up.— straightblast (@straight_blast) May 25, 2021
[writeup] https://t.co/LoKlsYVyAJ pic.twitter.com/ZO5isMvjB0
"ESXi vulnerabilities get used by a small number of ransomware groups as they allow bypass of all security controls - when you’re on the hypervisor layer you’re above the OS and security layer, so you can do what you like," Arcadia's Beaumont says.
Executive Editor Mathew J. Schwartz contributed to this report.