On May 26, NSFOCUS CERT discovered that VMware released a security advisory that announces mitigation of the VMware vCenter Server remote code execution vulnerability (CVE-2021-21985) and vCenter Server plug-in authentication bypass vulnerability (CVE-2021-21986). The Virtual SAN Check plug-in in vCenter Server lacks input validation, allowing attackers who have accessed vSphere Client (HTML5) through port 443 to execute arbitrary code on the target host via a crafted packet. The affected plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used. The vulnerability has a CVSS score of 9.8. Affected users are advised to take mitigation measures against this vulnerability as soon as possible.
vCenter Server is a server management solution from VMware to help IT administrators manage virtual machines and hosts in enterprise environments via a single console.
Reference link: https://www.vmware.com/security/advisories/VMSA-2021-0010.html
Scope of Impact
- vmware vcenter_server < 6.5 U3p
- vmware vcenter_server < 6.7 U3n
- vmware vcenter_server < 7.0 U2b
- Cloud Foundation (vCenter Server) < 22.214.171.124
- Cloud Foundation (vCenter Server) < 4.2.1
Currently, the vendor has fixed this vulnerability in the latest versions. Affected users are advised to upgrade as soon as possible from the following links:
If it is impossible to upgrade currently, users can take the following mitigation measures by referring to the official link:
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.