On May 25, 2021, VMware released advisory VMSA-2021-0010 for two vulnerabilities impacting vCenter Server, which is management software for VMware vSphere systems. The two vulnerabilities are CVE-2021-21985 with a critical rating of 9.8 (CVSSv3) and CVE-2021-21986 with a rating 6.5, which are similar to patches released by VMware we wrote about in February.
- vCenter Server version 7.0 (prior to 7.0 U2b)
- vCenter Server version 6.7 (prior to 6.7 U3n)
- vCenter Server version 6.5 (prior to 6.5 U3p)
- Cloud Foundation version 4.x (prior to 4.2.1)
- Cloud Foundation version 3.x (prior to 184.108.40.206)
Impact of CVE-2021-21985 & CVE-2021-21986
CVE-2021-21985 presents a remote code execution vulnerability within the Virtual SAN Health Check plug-in, which is utilized to verify and validate the health of a Virtual SAN cluster, and is enabled in the default configuration of vCenter server.
In order to exploit CVE-2021-21985 an attacker would need to have access to port 443, but once available would be able to exploit the vulnerability due to a lack of input validation and gain unrestricted access to the underlying operating system that hosts the vCenter Server.
CVE-2021-21986 is an authentication mechanism issue within the following plug-ins utilized in vSphere client (HTML5):
- Virtual SAN Health Check
- Site Recovery
- vSphere Lifecycle Manager
- VMWare Cloud Director Availability
The vulnerability can potentially allow malicious attackers to perform commands without authentication by the impacted plugins over port 443.
VMware has released patches to resolve the vulnerability, but have also released workaround steps that can be taken if organizations are unable to patch. For patching, administrators need to update to the latest fixed version in order to resolve the vulnerability. Fixed versions include of vCenter Server are:
- 7.0 U2b
- 6.7 U3n
- 6.5 U3p
Cloud Foundation (vCenter Server) versions 4.x and 3.x are also susceptible to this vulnerability and must be updated to version 4.2.1 and 220.127.116.11.
VMware has also released a workaround by setting the Plugins to “incompatible” within the compatibility-matrix.xml file. Disabling the plugins from within the UI does not prevent exploitation and thus must be done directly in the XML file.
Here are the configuration lines that need to be configured per VMware:
|Plugin Name||Configuration Line|
|VMware vRealize Operations Client Plugin||<PluginPackage id=”com.vmware.vrops.install” status=”incompatible”/>|
|VMware vSAN H5 Client Plugin||<PluginPackage id=”com.vmware.vsphere.client.h5vsan” status=”incompatible”/>|
|Site Recovery||<PluginPackage id=”com.vmware.vrUi” status=”incompatible”/>|
|vCenter Server Life-cycle Manager||<PluginPackage id=”com.vmware.vum.client” status=”incompatible”/>|
|VMware Cloud Director Availability||<PluginPackage id=”com.vmware.h4.vsphere.client” status=”incompatible”/>|
Further information on how the VMware workaround is configured can be found on VMware’s website at the following location: https://kb.vmware.com/s/article/83829
- Qualys announced QIDs 216259, 216260, and 216261 will detect these vulnerabilities in vCenter versions 6.5, 6.7, and 7.0, respectively. The QIDs were still under development at the time of writing.
- Tenable has not released a plugin ID for detection at the time of writing, however, you can utilize plugin ID 63061 for vCenter server detection as a starting point.
- A list of Tenable plugins to identify these vulnerabilities will appear within the Tenable Plugin page here.
Dave Farquhar, Vulnerability Management Engineer III
Greg Alexander, Vulnerability Management Engineer