Cybercriminals can exploit vCenter servers yet again

May 26, 2021 11:32 GMT  ·  By

VMware has released fixes to address a significant vulnerability in vCenter System that can be exploited by an attacker to execute arbitrary code on the server.  

The vulnerability, identified as CVE-2021-21985 (CVSS score 9.8), originates from a lack of input validation in the Virtual SAN (vSAN) plug-in Health Check. This plug-in is enabled by default in vCenter Server.

VMware said in its advisory that "A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server".

VMware vCenter Server is server management software that enables you to manage virtual machines, ESXi hosts, and other dependent components from a single location. The issue affects vCenter Server versions 6.5, 6.7, and 7.0, as well as Cloud Foundation versions 3.x and 4.x. VMWare expresses gratitude to Ricter Z of 360 Noah Lab for exposing the vulnerability.

VMware released security patches in order to fix this security flaw 

The patch release also fixes an authentication problem in the vSphere Client that affects the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins (CVE-2021-21986, CVSS score: 6.5). This flaw allows an attacker to conduct operations permitted by the plug-ins without authentication.

The second major vulnerability addressed by VMware in vCenter Server is CVE-2021-21985. In February of this year, a remote code execution vulnerability in a vCenter Server plug-in (CVE-2021-21972) that could be exploited to execute commands with unrestricted access on the underlying operating system hosting the server was patched.

The vCenter vulnerability fixes follow the company's patching of another significant remote code execution hole in VMware vRealize Business for Cloud (CVE-2021-21984, CVSS score: 9.8), that may be exploited by a hostile actor with network access to execute arbitrary code on the appliance.

It is highly recommended for users that were affected by these new VMware flaws to update their software as soon as possible.