Heimdal
article featured image

Contents:

VMware, Inc., an American cloud computing and virtualization technology company, is advising its vCenter users to immediately update vCenter Server versions 6.5, 6.7, and 7.0 following the discovery of a serious remote code execution (RCE) flaw in the Virtual SAN Health Check plug-in.

The most urgent is CVE-2021-21985, which is connected to a remote code execution flaw in a vSAN plugin authorized by default in vCenter that a threat actor could employ to perform whatever they wanted on the underlying host machine. If provided, they can access port 443.

Since the vSAN plugin is authorized by default all the users can become victims, even the ones who don’t utilize it.

The company provided more information about the issue in a press release:

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.

VMware said that a remote code execution (RCE) vulnerability is where a cybercriminal who can reach the impacted software over the network can perform commands on it and avoid the security controls in place.

This leaves perimeter firewall controls, and vCenter Server VAMI firewall controls, as the last line of defense against this problem until it is fixed.

Organizations who have placed their vCenter Servers on networks that are directly accessible from the internet may not have that line of defense and should audit their systems for compromise,” the company states.

They should also take steps to implement more perimeter security controls (firewalls, ACLs, etc.) on the management interfaces of their infrastructure.

Source

In order to mend the problem, VMware urges customers to update vCenter and also provides instructions on how to deactivate vCenter Server plugins.

While vSAN will continue operating, manageability and monitoring are not possible while the plugin is disabled. A customer who is using vSAN should only consider disabling the plugin for short periods of time, if at all.

Source

vCenter Server is an advanced server management software that provides a centralized platform for controlling vSphere environments for visibility across hybrid clouds.

VMware warns about ransomware attackers who have repeatedly shown us that they can and will compromise corporate networks while patiently waiting for a new vulnerability to attack from inside a network.

This is not unique to VMware products, but it does inform our suggestions here. Organizations may want to consider additional security controls and isolation between their IT infrastructure and other corporate networks as part of an effort to implement modern zero-trust security strategies.

Source

VMware also patched a medium severity authentication mechanism issue tracked as CVE-2021-21986 that would enable a threat actor to execute actions allowed by plugins without authentication.

Earlier this year, a pair of ESXi vulnerabilities were being used by ransomware gangs to acquire control of virtual machines and encrypt virtual hard drives.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE