On May 25, VMware issued a security advisory (VMSA-2021-0010) regarding 2 vulnerabilities affecting VMware vCenter Server and VMware Cloud Foundation. According to open source intelligence, it is estimated that almost 5.600 systems are vulnerable.
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Severity: 9.8 (Critical)
Affected versions: 7.0, 6.7, 6.5
Suggested resolution steps: https://kb.vmware.com/s/article/83829
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.
Severity: 6.5 (Moderate)
Affected versions: 7.0, 6.7, 6.5
Suggested resolution steps: https://kb.vmware.com/s/article/83829
Updates are available to remediate these vulnerabilities in affected VMware products and VMware urges users to patch their devices. Until you are able to patch properly, and you don’t use vSAN, then the above suggested resolution steps can be used for disabling the plugins affected by these two vulnerabilities.
On February 23, VMware issued a security advisory (VMSA-2021-0002) regarding 3 vulnerabilities affecting VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation. According to open source intelligence, it is estimated that more than 6.700 systems are vulnerable
Vmware vCenter Server RCE in vSphere Client (CVE-2021-21972)
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Severity: 9.8 (Critical)
Affected versions: 7.0, 6.7, 6.5
Suggested resolution steps: https://kb.vmware.com/s/article/82374
ESXi heap overflow (CVE-2021-21974)
A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
Severity: 8.8 (Important)
Affected versions: 7.0, 6.7, 6.5
Suggested resolution steps: https://kb.vmware.com/s/article/76372
Vmware vCenter Server SSRF in vSphere Client (CVE-2021-21973)
A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.
Severity: 5.3 (Moderate)
Affected versions: 7.0, 6.7, 6.5
Suggested resolution steps: https://kb.vmware.com/s/article/82374
Mitigation
Updates are available to remediate these vulnerabilities in affected VMware products, however only the provided steps ensure temporary mitigation. It is advised to perform the provided workarounds for each vulnerability separately, as soon as possible as exploitation proof of concept scripts are now publicly available for both Windows and Linux targets.
