VMware, Inc., an American cloud computing and virtualization technology company, is advising its vCenter users to immediately update vCenter Server versions 6.5, 6.7, and 7.0 following the discovery of a serious remote code execution (RCE) flaw in the Virtual SAN Health Check plug-in.
The most urgent is CVE-2021-21985, which is connected to a remote code execution flaw in a vSAN plugin authorized by default in vCenter that a threat actor could employ to perform whatever they wanted on the underlying host machine. If provided, they can access port 443.
Since the vSAN plugin is authorized by default all the users can become victims, even the ones who don’t utilize it.
The company provided more information about the issue in a press release:
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
VMware said that a remote code execution (RCE) vulnerability is where a cybercriminal who can reach the impacted software over the network can perform commands on it and avoid the security controls in place.
This leaves perimeter firewall controls, and vCenter Server VAMI firewall controls, as the last line of defense against this problem until it is fixed.
Organizations who have placed their vCenter Servers on networks that are directly accessible from the internet may not have that line of defense and should audit their systems for compromise,” the company states.
They should also take steps to implement more perimeter security controls (firewalls, ACLs, etc.) on the management interfaces of their infrastructure.
In order to mend the problem, VMware urges customers to update vCenter and also provides instructions on how to deactivate vCenter Server plugins.
While vSAN will continue operating, manageability and monitoring are not possible while the plugin is disabled. A customer who is using vSAN should only consider disabling the plugin for short periods of time, if at all.
vCenter Server is an advanced server management software that provides a centralized platform for controlling vSphere environments for visibility across hybrid clouds.
VMware warns about ransomware attackers who have repeatedly shown us that they can and will compromise corporate networks while patiently waiting for a new vulnerability to attack from inside a network.
This is not unique to VMware products, but it does inform our suggestions here. Organizations may want to consider additional security controls and isolation between their IT infrastructure and other corporate networks as part of an effort to implement modern zero-trust security strategies.
VMware also patched a medium severity authentication mechanism issue tracked as CVE-2021-21986 that would enable a threat actor to execute actions allowed by plugins without authentication.
Earlier this year, a pair of ESXi vulnerabilities were being used by ransomware gangs to acquire control of virtual machines and encrypt virtual hard drives.