VMware has issued an “emergency change” for two exploits in vCenter Server, claiming immediate attention is required.
The vulnerabilities affect vCenter Server versions 6.5, 6.7 and 7.0 and, if exploited, allow malicious attackers to enable executions and actions outside of user input.
One of the two exploits, CVE-2021-21985, has been classified as a critical exploit by the vendor as it can lead to remote code execution in the vSphere Client due to lack of input validation in the Virtual SAN Health Check plug-in.
This is enabled by default in vCenter Server and a malicious actor with network access to port 443, a standard port for HTTPS or encrypted traffic, can exploit the issue to execute commands with unrestricted privileges.
The other vulnerability, CVE-2021-21986, can allow actors with access to the same port to perform actions allowed by the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMware Cloud Director Availability plug-ins.
While the vendor has issued fixes for these exploits, a blog post penned by Bob Plankers, technical marketing architect at VMware, “strongly” recommended that users act and apply available patches as soon as possible.
“First, if you can patch vCenter Server, do it,” he wrote. “In general, this is the fastest way to resolving this problem. [It] doesn’t involve editing files on the vCenter Server Appliance (VCSA) and removes the vulnerability completely. From there you can update any plug-ins as vendors release new versions.”
Meanwhile, users that cannot patch right away and do not use vSAN can use various workarounds, which include editing a text file on the VCSA and restarting services. However, if users disable the vSphere Lifecycle Manager plug-in on vSphere 7, they will lose the plug-in's functionality until vCenter Server is patched from the Virtual Appliance Management Interface (VAMI).
Site Recovery can be used to disable the relevant plug-in and continue to manage the environment through its interface. If vSAN customers choose to disable the vSAN plug-in, they will lose the ability to monitor and manage it, alongside its alarms.
“This might be fine for your organisation for very short periods of time but we at VMware cannot recommend it. Please use caution," Plankers warned. “You may have other security controls in your environment that can help protect you until you are able to patch. Using network perimeter access controls to curtail access to the vCenter Server management interfaces, for example."
“In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible," he added.