June 07, 2021
On May 25th, 2021, VMWare announced a pair of critical vulnerabilities in VMWare vCenter Server versions 6.5, 6.7, and 7.0 and VMware Cloud Foundation versions 4.x and 3.x. The most critical vulnerability CVE-2021-21985 allows for remote code execution against a vSAN (Virtual SAN Health Check) plugin enabled by default in vCenter. An attacker with access to port 443 could leverage this vulnerability to execute commands with unrestricted privileges on the underlying host machine. The second vulnerability, CVE-2021-21986, allows an attacker to perform actions permitted by the impacted plugins without authentication. These vulnerabilities are now being remotely exploited and need to be patched or otherwise remediated ASAP if this has not already been done.
We have not seen any remote attacks against vCenter servers; however, these machines are still vulnerable to more localized attacks.
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
1. Identify the products being used in your network and apply the workaround/patch as required.
2. Review network logs for any suspicious connection attempts on port 443 to VMWare vCenter Servers.
Apply the following updates for the affected deployments.
- vCenter Server 7.0: 7.0 U2b
- vCenter Server 6.7: 6.7 U3n
- vCenter Server: 6.5: 6.5 U3p
- Cloud Foundation (vCenter Server) 4.x: 4.2.1
- Cloud Foundation (vCenter Server) 3.x: 22.214.171.124
- Disable VMware Plugins in vCenter Server (83829): KB83829
- VMware – https://www.vmware.com/security/advisories/VMSA-2021-0010.html
- ZDNet – https://www.zdnet.com/article/patch-immediately-vmware-warns-of-critical-remote-code-execution-holes-in-vcenter/
- CVE-2021-21985 Details – https://nvd.nist.gov/vuln/detail/CVE-2021-21985
- CVE-2021-21986 Details – https://nvd.nist.gov/vuln/detail/CVE-2021-21986