Skip to main content
PDQ.com mobilePDQ.com desktop
Support
Try Now

VMware Vulnerability With A Severity Rating of 9.8 Out Of 10 Disclosed

Brock BinghamBrock Bingham
·

Have you ever heard of VMware?  You'd be forgiven if you hadn't.  It only has about 400,000 customers, including 100% of the Fortune 500 companies (cue Will Ferrell, saying, "I'm kind of a big deal").  In fact, I'd be willing to bet that, since you're here reading this article, you most likely utilize VMware in your organization.  If that's the case, you probably have some emergency patching to do.

The Threat

On Tuesday, May 25th, VMware disclosed a security vulnerability affecting its very popular vCenter Server Management Solution and VMware Cloud Foundation.  vCenter Server provides a centralized platform for controlling VMware vSphere environments, and is utilized extensively in larger organizations and data centers.

The vulnerability, tracked as CVE-2021-21985 and CVE-2021-21986, is rated a 9.8 out of 10 on the severity scale, which is about as critical as it gets.  The vulnerability resides in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server.  Here is the description provided by VMware:

"The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server.  VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8."

VMware provided further details about the attack vector, explaining that:

"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server." 

Because this threat lives on the virtualization layer, successfully exploiting the vulnerability would provide attackers with immense control over environments.

The affected versions of vCenter Server are versions 6.5, 6.7, and 7.0.  Considering that version 6.0 reached end of life in March of 2020, it's safe to say that all currently supported versions of vCenter Server are affected by this vulnerability.

The Solution

As you can imagine, a massive organization, like VMware, takes threats like this very seriously.  As a result, VMware has provided several updates that became available at the same time the vulnerability was disclosed.  A workaround is also available if immediate patching is not an option.  Here are the relevant links to version updates as well as their documentation (keep in mind that you may need to be logged in to My VMware in order to access the downloads):

vCenter Server 7.0 U2b

Downloads and Documentation:

https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/7_0

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u2b-release-notes.html

vCenter Server 6.7 U3n

Downloads and Documentation:

https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3n-release-notes.html

vCenter Server 6.5 U3p

Downloads and Documentation:

https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3p-release-notes.html

VMware vCloud Foundation 4.2.1

Downloads and Documentation:

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF421&productId=1121&rPId=67576

https://docs.vmware.com/en/VMware-Cloud-Foundation/4.2.1/rn/VMware-Cloud-Foundation-421-Release-Notes.html

VMware vCloud Foundation 3.10.2.1

Downloads and Documentation:

https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/VMware-Cloud-Foundation-3102-Release-Notes.html#3.10.2.1

Alternative Workaround

If immediate patching is not an option, then VMware recommends disabling the affected plugins until the patches can be deployed.  Be aware that disabling these plugins is considered a temporary solution and will disable the functionality of the plugins.  To disable the plugins, you must mark the plugins as incompatible in the compatibility-matrix.xml file.  Changing these settings within the user interface does not prevent exploitation.  Here are the plugins and XML lines that need to be added to the compatibility-matix.xml file.

<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>

<PluginPackage id="com.vmware.vsphere.client.h5vsan" status="incompatible"/>

<PluginPackage id="com.vmware.vrUi" status="incompatible"/>

<PluginPackage id="com.vmware.vum.client" status="incompatible"/>

<PluginPackage id="com.vmware.h4.vsphere.client" status="incompatible"/>

More information about this workaround can be found here.

Wrapping Up

This is the second vCenter vulnerability this year to have a severity rating of 9.8.  This vulnerability, along with the plethora of Chome, Adobe, and Microsoft vulnerabilities that have recently been discovered, ensures that sysadmins worldwide have their work cut out for them.  All I can say is, keep up the good fight. Maybe one day we'll live in a world where vulnerabilities are a thing of the past.  But I wouldn't hold your breath.

Ready to get started with PDQ Deploy & Inventory? Work less, automate more.

Start your 14-day free trial
Sign up in seconds

Don't miss the next post!

K-12 Cybersecurity Webinar Recap

Brock recaps PDQ's 2021 K-12 Cybersecurity Webinar.

PDQ.com
© 2021 PDQ.com Corporation
Products
  • PDQ Deploy ®
  • PDQ Inventory ®
  • Enterprise SL
  • Pricing
  • Downloads
  • Licensing
  • Buy