Patch immediately: VMware warns of critical remote code execution hole in vCenter

If an attacker hits port 443, they could execute whatever code they please on the host operating system thanks to a vulnerability in vCenter.
Written by Chris Duckett, Contributor
View of the VMWARE exhibition center
Image: MaboHH / Getty Images

VMware is urging its vCenter users to update vCenter Server versions 6.5, 6.7, and 7.0 immediately, after a pair of vulnerabilities were reported privately to the company.

The most pressing is CVE-2021-21985, which relates to a remote code execution vulnerability in a vSAN plugin enabled by default in vCenter that an attacker could use to run whatever they wished on the underlying host machine, provided they can access port 443.

Even if users do not use vSAN, they are likely to be affected because the vSAN plugin is enabled by default.

"The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server," VMware described the issue in an advisory.

In its FAQ, VMware warned that since the attacker only needs to be able to hit port 443 to conduct the attack, firewall controls are the last line of defence for users.

"Organisations who have placed their vCenter Servers on networks that are directly accessible from the internet may not have that line of defence and should audit their systems for compromise," the company states.

"They should also take steps to implement more perimeter security controls (firewalls, ACLs, etc.) on the management interfaces of their infrastructure."

To fix the issue, VMware recommends users update vCenter, or if not possible, the company has provided instructions on how to disable vCenter Server plugins.

"While vSAN will continue operating, manageability and monitoring are not possible while the plugin is disabled. A customer who is using vSAN should only consider disabling the plugin for short periods of time, if at all," VMware warned.

Users are warned that the patches provide better plugin authentication, and some third-party plugins may break and users are directed to contact the plugin vendor.

"This needs your immediate attention if you are using vCenter Server," VMware said in a blog post.

"In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible."

Even having perimeter controls may not be enough, and VMware suggested users look at better network separation.

"Ransomware gangs have repeatedly demonstrated to the world that they are able to compromise corporate networks while remaining extremely patient, waiting for a new vulnerability in order to attack from inside a network," it said.

"This is not unique to VMware products, but it does inform our suggestions here. Organisations may want to consider additional security controls and isolation between their IT infrastructure and other corporate networks as part of an effort to implement modern zero-trust security strategies."

The second vulnerability, CVE-2021-21986, would allow an attacker to perform actions allowed by plugins without authentication.

"The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins," VMware said.

In terms of CVSSv3 scores, CVE-2021-21985 hit an 9.8, while CVE-2021-21986 was scored as 6.5.

Earlier this year, a pair of ESXi vulnerabilities were being used ransomware gangs to take over virtual machines and encrypt virtual hard drives.

Related Coverage

Editorial standards