CVE-2021-21972 – Vulnerability Found in VMware vCenter Servers and Cloud Foundation
By Britton Grim, Greg Alexander,
On February 23, 2021, VMware released advisory VMSA-2021-0002 for vulnerabilities in multiple products including VMware vCenter Server and Cloud Foundation (Server Management Software) all tracked under CVE-2021-21972. These products provide a centralized platform for controlling vSphere environments which enable automation to the virtual infrastructure and the hybrid cloud. This vulnerability is rated critical by VMware. It allows for potential remote code execution, has a working proof of concept, is being actively targeted by attackers, and has low exploit complexity.
- vCenter Server version 7.0 (prior to 7.0 U1c)
- vCenter Server version 6.7 (prior to 6.7 U3l)
- vCenter Server version 6.5 (prior to 6.5 U3n)
- Cloud Foundation (vCenter Server) version 4.x (prior to 4.2)
- Cloud Foundation (vCenter Server) version 3.x (prior to 126.96.36.199)
Potential Impact of CVE-2021-21972
A remote attacker may upload an arbitrary file or execute arbitrary commands with SYSTEM privileges by leveraging these vulnerabilities in a vCenter server. A malicious actor with network access to port 443 can exploit the vulnerability to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. The vulnerability has a working proof of concept, low technical complexity, and is being actively sought out through mass scanning (per Threat Intelligence firm Bad Packets).
To make matters worse, Shodan queries indicate more than 6,700 VMware vCenter servers are currently exposed to the internet, which could be remotely exploited in their current configuration if they haven’t been patched. With the prevalence of VMware virtual environments, this vulnerability could have a large impact across many industry verticals, and is being compared in severity to the Citrix ADC/Gateway vulnerability from December of 2019 (also discovered by security research firm Positive Technologies).
VMware has released patches to mitigate this vulnerability. Administrators need to update to the latest fixed version in order to mitigate the vulnerability without implementing a workaround. Fixed versions include:
Cloud Foundation (vCenter Server) versions 4.x and 3.x are also susceptible to this vulnerability and must be updated to version 4.2 and 188.8.131.52.
The vCenter team reviewed CVE-2021-21972 and determined that a ‘workaround’ can be put into place as a temporary solution until a date when you are able to deploy remediations outlined in VMSA-2021-0002. This ‘workaround’ is for affected versions of vCenter (7.0 prior to 7.0 U1c, 6.7 prior to 6.7 U3l and 6.5 prior to 6.5 U3n).
The workarounds differ for Linux and Windows implementations. Please follow the instructions provided by VMware in their workaround article KB82374 (linked below) if you are unable to perform remediation as outlined in the advisory. Please note impacts to functionality exist, but are limited to environments that use vRealize Operations. However, VMware states that “the vulnerable endpoint exists in vCenter Server whether or not vRealize Operations has ever been introduced to the environment”. The impacts VMware notes are:
- New vRealize Operations customers will not have the provision/option to auto install & configure the vRealize Operations Appliance through the plugin
- Customers who have already configured a vCenter Adapter in vRealize Operations with vCenter will not be able to display the metric & alert details (both VC and vSAN overview widgets) in the vCenter H5 client
- Qualys will release QIDs 216255, 216254, and 216253 to detect hosts that haven’t received this latest patch update
- Tenable has not released a plugin ID for detection at the time of writing, however, you can utilize plugin ID 63061 for vCenter server detection as a starting point
- VMware Security Advisor (VMSA-2021-0002)
- VMware vCenter Server Workaround KB article (KB82374)
- ZDNet: “Critical VMware vCenter Server Flaw Can Expose Organization to Remote Attacks”
- SecurityWeek: “More than 6,700 VMware servers exposed online and vulnerable to major new bug”