VMware VCenter Server Remote Code Execution Vulnerability (CVE-2021-21985) Threat Alert

VMware VCenter Server Remote Code Execution Vulnerability (CVE-2021-21985) Threat Alert

June 4, 2021 | Jie Ji

Vulnerability Description

On May 26, NSFOCUS CERT discovered that VMware released a security advisory that announces mitigation of the VMware vCenter Server remote code execution vulnerability (CVE-2021-21985) and vCenter Server plug-in authentication bypass vulnerability (CVE-2021-21986). The Virtual SAN Check plug-in in vCenter Server lacks input validation, allowing attackers who have accessed vSphere Client (HTML5) through port 443 to execute arbitrary code on the target host via a crafted packet. The affected plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used. The vulnerability has a CVSS score of 9.8. Affected users are advised to take mitigation measures against this vulnerability as soon as possible.

vCenter Server is a server management solution from VMware to help IT administrators manage virtual machines and hosts in enterprise environments via a single console.

Reference link: https://www.vmware.com/security/advisories/VMSA-2021-0010.html

Scope of Impact

Affected Versions

  • vmware vcenter_server < 6.5 U3p
  • vmware vcenter_server < 6.7 U3n
  • vmware vcenter_server < 7.0 U2b
  • Cloud Foundation (vCenter Server) < 3.10.2.1
  • Cloud Foundation (vCenter Server) < 4.2.1

Mitigation

Official Fix

Currently, the vendor has fixed this vulnerability in the latest versions. Affected users are advised to upgrade as soon as possible from the following links:

Product VersionDownload LinkOperation Guide
  vCenter Server 7.0U2bhttps://my.vmware.com/en/w eb/vmware/downloads/info/sl ug/datacenter_cloud_infrastr ucture/vmware_vsphere/7_0 https://docs.vmware.com/en/VMware -vSphere/7.0/rn/vsphere-vcenter-ser ver-70u2b-release-notes.html
  vCenter Server 6.7U3nhttps://my.vmware.com/en/w eb/vmware/downloads/info/sl ug/datacenter_cloud_infrastr ucture/vmware_vsphere/6_7https://docs.vmware.com/en/VMware -vSphere/6.7/rn/vsphere-vcenter-ser ver-67u3n-release-notes.html
  vCenter Server 6.5U3phttps://my.vmware.com/en/w eb/vmware/downloads/info/sl ug/datacenter_cloud_infrastr ucture/vmware_vsphere/6_5https://docs.vmware.com/en/VMware -vSphere/6.5/rn/vsphere-vcenter-ser ver-65u3p-release-notes.html
  VMware vCloud Foundation 4.2.1https://my.vmware.com/en/w eb/vmware/downloads/detail s?downloadGroup=VCF421& productId=1121&rPId=67576https://docs.vmware.com/en/VMware -Cloud-Foundation/4.2.1/rn/VMware- Cloud-Foundation-421-Release-Note s.html
VMware vCloud Foundation 3.10.2.1https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/V Mware-Cloud-Foundation-3102-Release-Notes.html#3.10.2.1

Workaround

If it is impossible to upgrade currently, users can take the following mitigation measures by referring to the official link:

https://kb.vmware.com/s/article/83829

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.