Get in Touch
VMware Patches Vulnerabilities in vCenter Server
Overview
VMware have released an update to address 19 security vulnerabilities in vCenter Server.
The most severe of these (CVE-2021-22005) is a file upload vulnerability which can lead to Remote Code Execution (RCE). Patching is recommended but a temporary mitigation for the RCE is available.
Impact
The most critical issue is that a remote attacker with network access to vCenter Server can execute code remotely on the server (CVE-2021-22005).
A remote attacker with network access to port 443 on vCenter Server may be able to access otherwise restricted endpoints (CVE-2021-22006)(CVE-2021-22017), perform unauthenticated VM network setting manipulation (CVE-2021-22011), disclose sensitive information (CVE-2021-22012, CVE-2021-22013, CVE-2021-22008) or perform a Denial of Service(CVE-2021-22009, CVE-2021-22010)
A remote attacker with network access to port 9087 on vCenter Server may be able to delete non-critical files (CVE-2021-22018)
A remote attacker with network access to port 5480 on vCenter Server may be able to perform a Denial of Service (CVE-2021-22019)
An authenticated VAMI user with network access to port 5480 may be able to execute code on the operating system that hosts vCenter Server. (CVE-2021-22014)
A local user with non-administrative access may be able to elevate their permissions(CVE-2021-21991)(CVE-2021-22015), gain access to sensitive information (CVE-2021-22007, CVE-2021-21993), perform a Denial of Service (CVE-2021-21992, CVE-2021-22020)
An attacker who can manipulate a user to click a link (eg. with a phishing email) may execute malicious scripts on the server (CVE-2021-22016).
Vulnerability Detection
Check the running version of vCenter.
Affected Products
– VMware vCenter Server 6.5, 6.7, and 7.0.
– VMware Cloud Foundation
Containment, Mitigations & Remediations
VMware have released a patch that should be installed immediately.
Where this is not practicable, other temporary mitigations are available.
Indicators of Compromise
No known active in-the-wild exploitation at this time.
Threat Landscape
As with a number of other remotely exploitable vulnerabilities we’ve seen recently, we expect to see this used for ransomware deployment. VMware have a section of their website dedicated to ransomware resilience including security configuration guidance and Firewalling guidance.
Mitre Methodologies
– T1189 – Drive-by Compromise
– T1190 – Exploit Public-Facing Application
– T1499.004 – Denial of Service via Application or System Exploitation
– T1566.002 – Spearphishing Link