Menu
VMware issues ‘emergency change’ for vCenter Server exploits

VMware issues ‘emergency change’ for vCenter Server exploits

Affects vCenter Server versions 6.5, 6.7 and 7.0.

Credit: VMware

VMware has issued an “emergency change” for two exploits in vCenter Server, claiming immediate attention is required.

The vulnerabilities affect vCenter Server versions 6.5, 6.7 and 7.0 and, if exploited, allow malicious attackers to enable executions and actions outside of user input. 

One of the two exploits, CVE-2021-21985, has been classified as a critical exploit by the vendor as it can lead to remote code execution in the vSphere Client due to lack of input validation in the Virtual SAN Health Check plug-in. 

This is enabled by default in vCenter Server and a malicious actor with network access to port 443, a standard port for HTTPS or encrypted traffic, can exploit the issue to execute commands with unrestricted privileges. 

The other vulnerability, CVE-2021-21986, can allow actors with access to the same port to perform actions allowed by the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMware Cloud Director Availability plug-ins. 

While the vendor has issued fixes for these exploits, a blog post penned by Bob Plankers, technical marketing architect at VMware, “strongly” recommended that users act and apply available patches as soon as possible. 

“First, if you can patch vCenter Server, do it,” he wrote. “In general, this is the fastest way to resolving this problem. [It] doesn’t involve editing files on the vCenter Server Appliance (VCSA) and removes the vulnerability completely. From there you can update any plug-ins as vendors release new versions.” 

Meanwhile, users that cannot patch right away and do not use vSAN can use various workarounds, which include editing a text file on the VCSA and restarting services.  However, if users disable the vSphere Lifecycle Manager plug-in on vSphere 7, they will lose the plug-in's functionality until vCenter Server is patched from the Virtual Appliance Management Interface (VAMI). 

Site Recovery can be used to disable the relevant plug-in and continue to manage the environment through its interface. If vSAN customers choose to disable the vSAN plug-in, they will lose the ability to monitor and manage it, alongside its alarms. 

“This might be fine for your organisation for very short periods of time but we at VMware cannot recommend it. Please use caution," Plankers warned. “You may have other security controls in your environment that can help protect you until you are able to patch. Using network perimeter access controls to curtail access to the vCenter Server management interfaces, for example." 

“In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible," he added. 


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags VMware

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Show Comments