VMware published a security advisory on Tuesday, 23rd February describing three vulnerabilities affecting their vCenter Server, ESXi and Cloud Foundation products (VMSA-2021-0002). Of the three vulnerabilities, CVE-2021-21972 is the most critical with a CVSSv3 score of 9.8 out of 10. This is an unauthenticated remote code execution (RCE) vulnerability found in the HTML5 vSphere Client component of VMware vCenter’s vRealize Operations (vROps) plugin. 1
The impacted vCenter Server plugin for vROps is present in all default installations, with vROPs not being required for the affected endpoint to be available. VMware has confirmed there are patches and workarounds available to address these vulnerabilities.
In-depth technical details of the vulnerabilities were published on 24th February. There are no reports of these vulnerabilities being exploited in the wild. However, there are reports of opportunistic scanning, and several proof of concept (POC) exploits have been released. According to Rapid7, CVE-2021-21972 presents an immediate threat and they expect to see active and widespread exploitation soon. 1
An unauthenticated, remote attacker could exploit this vulnerability by uploading a specially crafted file to a vulnerable vCenter Server endpoint that is accessible over port TCP/443. Successful exploitation of this vulnerability allows an attacker to gain unrestricted RCE privileges in the underlying operating system of the VCenter server. 2
Due to the critical nature of this vulnerability, we urge our customers to update affected VMware products to one of the fixed versions using VMWare’s emergency patch. If immediate patching is not possible, a workaround is available until patching can be completed, the details of which are provided in this article. In addition to CVE-2021-21972, there are two lower-severity vulnerabilities: 3
- CVE-2021-21973 – The vSphere Client (HTML5) contains an SSRF (Server-Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. A malicious actor with network access to port TCP/443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.
- CVE-2021-21974 – OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. A malicious actor residing within the same network segment as ESXi who has access to port 1TCP/427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
These vulnerabilities will be detected by normal scanning activities for ITC VI customers, provided the affected hosts are within the scope of their scans, but can be requested specifically if not.
Alternatively, customers can manually check the version of ESXi/vCenter server by following these steps:
To determine the build number of ESX/ESXi using the vSphere Client:
- Using the vSphere Client log in to the vCenter Server or ESX/ESXi host.
- In the Hosts and Clusters view, click the ESX/ESXi host in the inventory.
- Above the tabs, you see a line that identifies the host. This line includes the build number of the selected ESX/ESXi host.
In 6.x and above use the http://host-name/ui or http://host-IP-address/ui.
Determining the build number of vCenter Server using the vSphere Client:
- Log in to the vSphere Client.
- Select the vCenter Server.
- Click the Summary tab.
- The build is located under the Version Information section. 4
The following VMware products are affected:
- vCenter Server 7.x before 7.0 U1c
- vCenter Server 6.7 before 6.7 U3l
- vCenter Server 6.5 before 6.5 U3n
- Cloud Foundation (vCenter Server) 4.x before 4.2
- Cloud Foundation (vCenter Server) 3.x before 184.108.40.206
It is crucial that all organisations using the HTML5 VMware vSphere Client immediately restrict network access to those clients, especially if they are not segregated away on a management network. We highly recommend that customers either implement the workarounds noted in this article or consider expedited patching on their affected systems.
To fully remediate these vulnerabilities, patch VMware products to match the versions, as follows:
- CVE-2021-21972 and CVE-2021-21973
- vCenter Server version 7.0 fixed by version 7.0 U1c
- vCenter Server version 6.7 fixed by version 6.7 U3l
- vCenter Server version 6.5 fixed by version 6.5 U3n
- Cloud Foundation (vCenter Server) 4.x fixed by version 4.2
- Cloud Foundation (vCenter Server) 3.x fixed by version 220.127.116.11
- ESXi version 7.0 fixed by version ESXi70U1c-17325551
- ESXi version 6.7 fixed by version ESXi670-202102401-SGo ESXi version 6.5 fixed by version ESXi650-202102101-SG
o Cloud Foundation (ESXi) 4.x fixed by version 4.2
o Cloud Foundation (ESXi) 3.x fixed by KB82705 5
If immediate patching is not possible, apply the following workarounds:
- For CVE-2021-21972 and CVE-2021-21973 on Linux-based virtual appliances (vCSA), perform the following actions:
- SSH to vCSA and take a backup of /etc/vmware/vsphere-ui/compatibility-matrix.xml
- Add the following line inside the tags:
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
- Restart the vsphere-ui service using the following command:
service-control --restart vsphere-ui
- For CVE-2021-21974, the workaround is to stop and disable the SLP service on affected ESXi hosts.
The full workaround steps for each vulnerability are available from VMware:
- CVE-2021-21972 and CVE-2021-21973: https://kb.vmware.com/s/article/82374
- CVE-2021-21974: https://kb.vmware.com/s/article/76372