Advisory May 27, 2021

Remote code execution vulnerability in vSphere Client (CVE-2021-21985)

Obrela SOC

On May 25, VMware issued a security advisory (VMSA-2021-0010) regarding 2 vulnerabilities affecting VMware vCenter Server and VMware Cloud Foundation. According to open source intelligence, it is estimated that almost 5.600 systems are vulnerable.

Remote code execution vulnerability in vSphere Client (CVE-2021-21985)

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Severity: 9.8 (Critical)

Affected versions: 7.0, 6.7, 6.5

Suggested resolution steps: https://kb.vmware.com/s/article/83829

Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986)

The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.

Severity: 6.5 (Moderate)

Affected versions: 7.0, 6.7, 6.5

Suggested resolution steps: https://kb.vmware.com/s/article/83829

Mitigation

Updates are available to remediate these vulnerabilities in affected VMware products and VMware urges users to patch their devices. Until you are able to patch properly, and you don’t use vSAN, then the above suggested resolution steps can be used for disabling the plugins affected by these two vulnerabilities.