VMware Multiple High-Risk Vulnerabilities

VMware Multiple High-Risk Vulnerabilities

March 1, 2021 | Jie Ji

Vulnerability Description

On February 23, 2021, VMware released a security bulletin to announce the fix of two high-risk vulnerabilities in vSphere Client and ESXi.

CVE-2021-21972: vSphere Client (HTML5) contains a remote code execution vulnerability in the vRealize Operations plug-in in vCenter Server, with the CVSSv3 score of 9.8. The affected vRealize Operations plug-in is installed in vCenter Server by default.

CVE-2021-21974: OpenSLP used in ESXi is prone to a heap overflow vulnerability with a CVSSv3 score of 8.8. An attacker that is in the same network segment as ESXi and has access to port 427 could cause arbitrary code execution by triggering a heap-based overflow in the OpenSLP service.

Reference link: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Scope of Impact

CVE-2021-21972

Affected Versions

  • vCenter Server 7.0 < 7.0 U1c
  • vCenter Server 6.7 < 6.7 U3l
  • vCenter Server 6.5 < 6.5 U3n
  • Cloud Foundation (vCenter Server) 4.X < 4.2
  • Cloud Foundation (vCenter Server) 3.X < 3.10.1.2

Unaffected Versions

  • vCenter Server 7.0 U1c
  • vCenter Server 6.7 U3l
  • vCenter Server 6.5 U3n
  • Cloud Foundation (vCenter Server) 4.2
  • Cloud Foundation (vCenter Server) 3.10.1.2

CVE-2021-21974

Affected Versions

  • ESXi 7.0 < 70U1c-17325551
  • ESXi 6.7 < 670-202102401-SG
  • ESXi 6.5 < 650-202102101-SG
  • Cloud Foundation (ESXi) 4.X <4.2
  • Cloud Foundation (ESXi) 3.X

Unaffected Versions

  • ESXi 70U1c-17325551
  • ESXi 670-202102401-SG
  • ESXi 650-202102101-SG
  • Cloud Foundation (ESXi) 4.2
  • Cloud Foundation (ESXi) 3.X hotfix KB82705

Mitigation

1. Official Fix

Currently, the vendor has fixed this vulnerability in the latest versions. Affected users are advised to upgrade as soon as possible from the following links:

2. Workaround

1. CVE-2021-21972

You can disable the vROPS plug-in by referring to the official recommendations (https://kb.vmware.com/s/article/82374) given below:

1) Remotely connect to VCSA (or connect to Windows VC via the remote desktop) through SSH.

2) Back up the following file:

  • /etc/vmware/vsphere-ui/compatibility-matrix.xml (vCSA)
  • C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui (Windows VC)

3) Add one line using a text editor

<Matrix>

<pluginsCompatibility>

. . . .

<PluginPackage id=”com.vmware.vrops.install” status=”incompatible”/>

. . . .

</pluginsCompatibility>

</Matrix>

The final file content is as follows:

4) Restart the vsphere-ui service using the command: vmon-cli -r vsphere-ui.

5) Check whether the vROPS plug-in is disabled: If the vROPS plug-in is disabled, a response page with the 404 status code is returned when you access the URL:

https://<VC-IP-or-FQDN>/ui/vropspluginui/rest/services/checkmobregister

Under VSphere Client > Solutions > Client Plugins, VMware vRops Client Plugin should be displayed as incompatible.

2. CVE-2021-21974

You can disable the CIM server by referring to the official recommendations (https://kb.vmware.com/s/article/76372) given below:

1) Stop the SLP service on the ESXi host using the following command: /etc/init.d/slpd stop. This service can be stopped only when it is not in use. You can run the “esxcli system slp stats get” command to view the operating status of the service daemon.

2) Run the following command to disable the SLP service: esxcli network firewall ruleset set -r CIMSLP -e 0

3) Run the following command to make the preceding change persist across the reboots: chkconfig slpd off

4) Run the following command to check whether the change is applied upon a reboot: chkconfig –list | grep slpd If yes, the command output should be slpd off.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyberattacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.