Critical remote code execution flaw in thousands of VMWare vCenter servers remains unpatched

Close to a month on, internet-facing servers remain vulnerable to attack.

Researchers have warned that thousands of internet-facing VMWare vCenter servers still harbor critical vulnerabilities weeks after patches were released. 

The vulnerabilities impact VMWare vCenter Server, a centralized management utility. 

VMWare issued patches for two critical bugs, CVE-2021-21985 and CVE-2021-21986, on May 25. 

The first security flaw, CVE-2021-21985, impacts VMware vCenter Server and VMware Cloud Foundation and has been issued a CVSS score of 9.8. This bug was found in a vSAN plugin, enabled by default in the application, that allows attackers to execute remote code execution (RCE) if they have access to port 443.

VMWare said in a security advisory that this severe bug can be exploited so threat actors can access "the underlying operating system that hosts vCenter Server" with "unrestricted privileges."

The bug impacts vCenter Server 6.5, 6.7, and v.7.0, alongside Cloud Foundation vCenter Server 3.x and 4.x.

The second vulnerability, CVE-2021-21986, is present in the vSphere Client (HTML5) and the vSphere authentication mechanism for a variety of plugins: Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability. 

Considered less critical with a CVSS score of 6.5, this flaw still permits attackers with access to port 443 to "perform actions allowed by the impacted plug-ins without authentication."

It appears that thousands of internet-facing servers are still exposed and vulnerable to both CVE-2021-21985 and CVE-2021-21986. 

On Tuesday, researchers from Trustwave SpiderLabs said an analysis of VMWare vCenter servers revealed 5,271 instances of VMWare vCenter servers that are available online, the majority of which are running versions 6.7, 6.5, and 7.0, with port 443 the most commonly employed.
 
After using the Shodan search engine for further examination, the team was able to pull data from 4969 instances, and they found that a total of 4019 instances -- or 80.88% -- remain unpatched. 

The remaining 19.12% are likely to be vulnerable, as they are old versions of the software, including versions 2.5x and 4.0x, that are end-of-life and unsupported. 

At the time the vendor issued the security fixes, VMWare said the vulnerabilities demanded the "immediate attention" of users. As previously reported by ZDNet, the patches may break some third party plugins, and if applying the fixes aren't possible, server owners are asked to disable VMWare plugins to mitigate the threat of exploit. 

It is recommended that these types of critical bugs are tackled, or mitigated, as quickly as possible. 

Proof-of-Concept (PoC) code has been released for CVE-2021-21985. The issue is severe enough that the US Cybersecurity and Infrastructure Security Agency (CISA) has alerted vendors to patch their builds. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0