VMware patches serious vulnerabilities
On February 23, 2021 VMware released a security advisory (VMSA-2021-0002) to address two vulnerabilities in vCenter Server, a centralized management software for VMware vSphere systems, as well as a vulnerability in the VMWare ESXi hypervisor. The most notable vulnerability disclosed as a part of this advisory is CVE-2021-21972, a critical remote code execution (RCE) flaw in vCenter Server. The vulnerability was discovered and disclosed to VMware by Mikhail Klyuchnikov, a security researcher at Positive Technologies.
These vulnerabilities allowed non-authorized clients to execute arbitrary commands and send requests on behalf of the targeted server via various protocols:
- Unauthorized file uploaded, leading to remote code execution (RCE) (CVE-2021- 21972)
- An unauthorized server-side request forgery (SSRF) vulnerability (CVE-2021-21973)
About the vulnerability
- CVE-2021-21972 is an unauthorized vulnerability file uploaded in vCenter Server.
- The issue stems from a lack of authentication in the vRealize Operations vCenter Plugin.
- It received a critical CVSSv3 score of 9.8 out of 10.0.
- An unauthenticated, remote attacker could exploit this vulnerability by uploading a specially crafted file to a vulnerable vCenter Server endpoint that is publicly accessible over port 443.
- Successful exploitation of this vulnerability would result in an attacker gaining unrestricted RCE privileges in the underlying operating system of the vCenter Server.
- For Windows systems, an attacker could upload a specially crafted .jsp file in order to gain SYSTEM privileges on the underlying operating system.
- For Linux systems, an attacker would need to generate and upload a public key to the server’s authorized key paths and then connect to the vulnerable server via SSH.
- Despite the fact that this vulnerability stems from the vRealize Operations vCenter Plugin, the VMware advisory confirms that this plugin is included “in all default installations” of vCenter Server.
- The vulnerable endpoint is available irrespective of the presence of vRealize Operations.
- There are currently over 6,700 vCenter Server systems that are affected and publicly accessible.
- VMware released the following updates for vCenter Server to address CVE-2021-21972 and CVE-2021-21973:
i. vCenter Server 6.5
ii. vCenter Server 6.7
iii. vCenter Server 7.0
- It is highly recommended to update systems to the versions:
- If upgrading is not feasible at this time, VMware has provided workaround instructions for CVE-2021-21972 and CVE-2021-21973 that involve a change to the compatibility matrix file and setting the vRealize Operations vCenter Plugin to incompatible.