Get in Touch
Please get in touch using the form below.
VMware Patches Vulnerabilities in vCenter Server
Overview
VMware have released an update to address 19 security vulnerabilities in vCenter Server.
The most severe of these (CVE-2021-22005) is a file upload vulnerability which can lead to Remote Code Execution (RCE). Patching is recommended but a temporary mitigation for the RCE is available.
Impact
The most critical issue is that a remote attacker with network access to vCenter Server can execute code remotely on the server (CVE-2021-22005).
A remote attacker with network access to port 443 on vCenter Server may be able to access otherwise restricted endpoints (CVE-2021-22006)(CVE-2021-22017), perform unauthenticated VM network setting manipulation (CVE-2021-22011), disclose sensitive information (CVE-2021-22012, CVE-2021-22013, CVE-2021-22008) or perform a Denial of Service(CVE-2021-22009, CVE-2021-22010)
A remote attacker with network access to port 9087 on vCenter Server may be able to delete non-critical files (CVE-2021-22018)
A remote attacker with network access to port 5480 on vCenter Server may be able to perform a Denial of Service (CVE-2021-22019)
An authenticated VAMI user with network access to port 5480 may be able to execute code on the operating system that hosts vCenter Server. (CVE-2021-22014)
A local user with non-administrative access may be able to elevate their permissions(CVE-2021-21991)(CVE-2021-22015), gain access to sensitive information (CVE-2021-22007, CVE-2021-21993), perform a Denial of Service (CVE-2021-21992, CVE-2021-22020)
An attacker who can manipulate a user to click a link (eg. with a phishing email) may execute malicious scripts on the server (CVE-2021-22016).
Vulnerability Detection
Check the running version of vCenter.
Affected Products
– VMware vCenter Server 6.5, 6.7, and 7.0.
– VMware Cloud Foundation
Containment, Mitigations & Remediations
VMware have released a patch that should be installed immediately.
Where this is not practicable, other temporary mitigations are available.
Indicators of Compromise
No known active in-the-wild exploitation at this time.
Threat Landscape
As with a number of other remotely exploitable vulnerabilities we’ve seen recently, we expect to see this used for ransomware deployment. VMware have a section of their website dedicated to ransomware resilience including security configuration guidance and Firewalling guidance.
Mitre Methodologies
– T1189 – Drive-by Compromise
– T1190 – Exploit Public-Facing Application
– T1499.004 – Denial of Service via Application or System Exploitation
– T1566.002 – Spearphishing Link