On 21 September 2021, VMware issued a security advisory on multiple vulnerabilities affecting some versions of VMware vCenter Server and Cloud Foundation. We recommend applying the latest updates as soon as possible.
- Among the 19 flaws covered in the advisory, the most severe one, CVE-2021-22005, was assigned a CVSS 3.1 score of 9.8. Someone with network access could upload a crafted file and use it to execute code on the vCenter (VC) Server Appliance.
- This versions affected are:
- vCenter Server 6.7 deployments on Linux-based virtual appliances (vCSA)
- VCSAs running as external Platform Services Controllers (PSCs) in a vCenter 6.7 environment
- VC versions 7.0 on both Windows and Linux
- Cloud Foundation versions 3.x and 4.x
- The flaw does not impact 6.7 VC systems running on Windows. It has been addressed in versions 7.0U2c build 18356314 released on August 24th, and 6.7U3o build 18485166 released on September 21st.
- Based on recent reports regarding vCenter flaws used in ransomware campaigns, the company warned that imminent exploitation of this vulnerability is likely. Shortly after, several independent reports emerged on an ongoing scanning activity for this flaw.
- Other vulnerabilities were noted in vCenter Server that could lead to various scenarios of exploitation once a threat actor gains initial entry. These include:
- CVE-2021-21991 could allow a non-administrative user on vCenter Server host to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash). The problem is in the way vCenter Server handles session tokens. CVSSv3 base score: 8.8.
- CVE-2021-22006 could allow a user with network access to port 443 on vCenter Server to access restricted endpoints. It is a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. CVSSv3 base score: 8.3.
- CVE-2021-22011 could allow a user with network access to port 443 on vCenter Server to perform unauthenticated VM network setting manipulation.
- This is due to an unauthenticated API endpoint vulnerability in vCenter Server Content Library. CVSSv3 base score: 8.1.
- The best way to remediate this vulnerabilities is to apply the latest updates as outlined by VMware.
- A workaround is available for those unable to patch for CVE-2021-22005 now. This involves editing a text file on the VCSA and restarting services.