VMware patches serious vulnerabilities

On February 23, 2021 VMware released a security advisory (VMSA-2021-0002) to address two vulnerabilities in vCenter Server, a centralized management software for VMware vSphere systems, as well as a vulnerability in the VMWare ESXi hypervisor. The most notable vulnerability disclosed as a part of this advisory is CVE-2021-21972, a critical remote code execution (RCE) flaw in vCenter Server. The vulnerability was discovered and disclosed to VMware by Mikhail Klyuchnikov, a security researcher at Positive Technologies.

CVE Affected

These vulnerabilities allowed non-authorized clients to execute arbitrary commands and send requests on behalf of the targeted server via various protocols:

  1. Unauthorized file uploaded, leading to remote code execution (RCE) (CVE-2021- 21972)
  2. An unauthorized server-side request forgery (SSRF) vulnerability (CVE-2021-21973)

About the vulnerability

  1. CVE-2021-21972 is an unauthorized vulnerability file uploaded in vCenter Server.
  2. The issue stems from a lack of authentication in the vRealize Operations vCenter Plugin.
  3. It received a critical CVSSv3 score of 9.8 out of 10.0.
  4. An unauthenticated, remote attacker could exploit this vulnerability by uploading a specially crafted file to a vulnerable vCenter Server endpoint that is publicly accessible over port 443.
  5. Successful exploitation of this vulnerability would result in an attacker gaining unrestricted RCE privileges in the underlying operating system of the vCenter Server.
  6. For Windows systems, an attacker could upload a specially crafted .jsp file in order to gain SYSTEM privileges on the underlying operating system.
  7. For Linux systems, an attacker would need to generate and upload a public key to the server’s authorized key paths and then connect to the vulnerable server via SSH.

Vulnerable Systems

  1. Despite the fact that this vulnerability stems from the vRealize Operations vCenter Plugin, the VMware advisory confirms that this plugin is included “in all default installations” of vCenter Server.
  2. The vulnerable endpoint is available irrespective of the presence of vRealize Operations.
  3. There are currently over 6,700 vCenter Server systems that are affected and publicly accessible.

Recommendations

  1. VMware released the following updates for vCenter Server to address CVE-2021-21972 and CVE-2021-21973:

i. vCenter Server 6.5

ii. vCenter Server 6.7

iii. vCenter Server 7.0

  1. It is highly recommended to update systems to the versions:
  1. 3.10.1.2
  2. 4.2
  1. If upgrading is not feasible at this time, VMware has provided workaround instructions for CVE-2021-21972 and CVE-2021-21973 that involve a change to the compatibility matrix file and setting the vRealize Operations vCenter Plugin to incompatible.