Home / About / Threat Intelligence / VMware Patches Vulnerabilities in vCenter Server

Overview

VMware have released an update to address 19 security vulnerabilities in vCenter Server.

The most severe of these (CVE-2021-22005) is a file upload vulnerability which can lead to Remote Code Execution (RCE). Patching is recommended but a temporary mitigation for the RCE is available.

Impact

The most critical issue is that a remote attacker with network access to vCenter Server can execute code remotely on the server (CVE-2021-22005).

A remote attacker with network access to port 443 on vCenter Server may be able to access otherwise restricted endpoints (CVE-2021-22006)(CVE-2021-22017), perform unauthenticated VM network setting manipulation (CVE-2021-22011), disclose sensitive information (CVE-2021-22012, CVE-2021-22013, CVE-2021-22008) or perform a Denial of Service(CVE-2021-22009, CVE-2021-22010)

A remote attacker with network access to port 9087 on vCenter Server may be able to delete non-critical files (CVE-2021-22018)

A remote attacker with network access to port 5480 on vCenter Server may be able to perform a Denial of Service (CVE-2021-22019)

An authenticated VAMI user with network access to port 5480 may be able to execute code on the operating system that hosts vCenter Server. (CVE-2021-22014)

A local user with non-administrative access may be able to elevate their permissions(CVE-2021-21991)(CVE-2021-22015), gain access to sensitive information (CVE-2021-22007, CVE-2021-21993), perform a Denial of Service (CVE-2021-21992, CVE-2021-22020)

An attacker who can manipulate a user to click a link (eg. with a phishing email) may execute malicious scripts on the server (CVE-2021-22016).

Vulnerability Detection

Check the running version of vCenter.

Affected Products

– VMware vCenter Server 6.5, 6.7, and 7.0.
– VMware Cloud Foundation

Containment, Mitigations & Remediations

VMware have released a patch that should be installed immediately.

Where this is not practicable, other temporary mitigations are available.

Indicators of Compromise

No known active in-the-wild exploitation at this time.

Threat Landscape

As with a number of other remotely exploitable vulnerabilities we’ve seen recently, we expect to see this used for ransomware deployment. VMware have a section of their website dedicated to ransomware resilience including security configuration guidance and Firewalling guidance.

Mitre Methodologies

T1189 – Drive-by Compromise
T1190 – Exploit Public-Facing Application
T1499.004 – Denial of Service via Application or System Exploitation
T1566.002 – Spearphishing Link

Further Information

Advisory:VMSA-2021-0020

VMSA-2021-0020: Questions & Answers