VMware discloses two critical vulnerabilities in vCenter Server, the company’s virtualization management tool, that could allow remote code execution, which in turn, could trigger ransomware attacks.
A pair of new vulnerabilities residing in three versions of VMware’s vCenter Server 2021 threaten the entire network fabric of an organization, unless patched immediately. Just to get an idea of how dangerous the pair of vulnerabilities can be, VMware, which usually just publishes an advisory, this time published a separate blog post and FAQOpens a new window section calling on the users of vCenter Server to prioritize implementing safeguards against potential hackers.
“This needs your immediate attention if you are using vCenter Server,†writesOpens a new window Bob PlankersOpens a new window , Technical Marketing Architect at VMware. “All environments are different, have different tolerance for risk, and have different security controls & defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act.â€
VMware vCenter Server is a popular server management software used by organizations globally. It is used to centrally manage virtualization in data centers as well as the company’s vSphere and ESXi host products for performance monitoring, scalability, and automated alerts across the entire infrastructure.
According to HG Insights, vCenter Server is leveraged by 5,608 companiesOpens a new window , most of which should have received an email from VMware over mitigating the threat. A quick search on Shodan, a service that gives the number of specific public or internet-facing systems, revealed that 5,554 instances of vCenter Server are onlineOpens a new window as of today, over 1300 of which are located in the United States.
Today is an un-fun day for ~6K vCenter users pic.twitter.com/fWn7wuN2ZsOpens a new window
— boB Rudis (@hrbrmstr) May 26, 2021Opens a new window
And even if they are not, a threat actor can still exploit one of the two new vulnerabilities, provided he is inside the network. Besides vCenter Server, VMware also provides some of the other top used virtualization tools used globally.
See Also: 12 New FragAttack Vulnerabilities Risk Every Wi-Fi Device Made Since 1997
vCenter Server Vulnerabilities
Identified together as VMSA-2021-0010 by VMware, the two flaws are tracked as CVE-2021-21985Opens a new window and CVE-2021-21986Opens a new window .
CVE-2021-21985 is a remote code execution bug, exploitation of which can allow an attacker to arbitrarily execute code. This bug scored 9.8 out of a maximum possible 10 on the CVSS scaleOpens a new window , placing it in the ‘Critical‘ severity category. It exists due to the lack of input validation in the Virtual SAN Health Check plug-in in the vSphere Client (HTML5).
Virtual SAN Health Check is enabled by default in all three affected versions viz., vCenter Server 6.5, 6.7, and 7.0, even if not in use. Claire TillsOpens a new window , former product marketing manager at cybersecurity company Tenable saidOpens a new window , “To exploit this vulnerability, an attacker would need to be able to access vCenter Server over port 443. Even if an organization has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network.â€
But even if the Virtual SAN Health Check plug-in is disabled, the other bug, CVE-2021-21986 makes sure that unauthenticated users can get in and take malicious actions using the multiple plug-ins. Besides Virtual SAN Health Check, the error in authentication mechanism due to CVE-2021-21986 can allow an attacker to use Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.
However, with a CVSS score of 6.5, the severity of CVE-2021-21986 is relatively milder than CVE-2021-21985, making it ‘Medium‘ severity category. CVE-2021-21986 is also exploitable over port 443 and like CVE-2021-21985, it exists in versions 6.5, 6.7, and 7.0.
In February this year, threat actors scoured for public-facing vulnerable ESXi serversOpens a new window with CVE-2019-5544Opens a new window (CVSS 9.8) and CVE-2020-3992Opens a new window (CVSS 9.8), with proof-of-conceptsOpens a new window (PoCs) surfacing only a day after VMware patched its ESXi hypervisor for virtual computers.
No PoC code is available for either of the two recent bugs, although going by how quickly PoCs popped up in the wake of previous disclosures by VMware, we can expect PoCs for VMSA-2021-0010 soon.
Mitigation of Vulnerabilities on VMware vCenter Server
Plankers added, “In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.â€
Patches for both CVE-2021-21986 and CVE-2021-21985 are available. Organizations unable to fix their implementation of vCenter Server can disable the plug-ins as a temporary workaround although that may impact normal activities.
For instance, disabling the vSAN plugin won’t impact operations, it will, however, affect manageability and monitoring of the virtualized environment. At the same time, disabling vSphere Admins will prevent patching, updation, and upgrades to hosts and other parts of the product ecosystem on vSphere 7.
“If you ARE a vSAN customer, disabling the vSAN plugin will remove all ability to manage vSAN. No monitoring, no management, no alarms, nothing. This might be fine for your organization for very short periods of time but we at VMware cannot recommend it. Please use caution,†VMware explainedOpens a new window .
Additionally, disabling Site Recovery plug-in and vCloud Availability plugin won’t hamper operations, though their management will have to be done via the Site Recovery UI and vCloud UI respectively until enabled, thus defeating the purpose of vCenter Server which centralizes its management.
Closing Thoughts
This is the second time since February 2021 that VMware’s highly sought-after products have been found with security flaws. Of the four vulnerabilities discovered, three are just shy of scoring a perfect 10 threat level.
Cybercriminals are always on the prowl for such inviting vulnerabilities, especially in products and systems of a company such as VMware, whose global presence can be a highly lucrative proposition. It is the job of the company to rustle up a fix, followed by its customers to take remediation steps as soon as a fix is available.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!