VMware has rolled out patches to handle a important safety vulnerability in vCenter Server that may very well be leveraged by an adversary to execute arbitrary code on the server.
Tracked as CVE-2021-21985 (CVSS rating 9.8), the difficulty stems from an absence of enter validation within the Digital SAN (vSAN) Well being Verify plug-in, which is enabled by default within the vCenter Server. “A malicious actor with community entry to port 443 could exploit this difficulty to execute instructions with unrestricted privileges on the underlying working system that hosts vCenter Server,” VMware said in its advisory.
VMware vCenter Server is a server administration utility that is used to manage digital machines, ESXi hosts, and different dependent elements from a single centralized location. The flaw impacts vCenter Server variations 6.5, 6.7, and seven.0 and Cloud Basis variations 3.x and 4.x. VMware credited Ricter Z of 360 Noah Lab for reporting the vulnerability.
The patch launch additionally rectifies an authentication difficulty within the vSphere Shopper that impacts Digital SAN Well being Verify, Web site Restoration, vSphere Lifecycle Supervisor, and VMware Cloud Director Availability plug-ins (CVE-2021-21986, CVSS rating: 6.5), thereby permitting an attacker to hold out actions permitted by the plug-ins with none authentication.
Whereas VMware is strongly recommending prospects to use the “emergency change,” the corporate has printed a workaround to set the plug-ins as incompatible. “Disablement of those plug-ins will end in a lack of administration and monitoring capabilities offered by the plug-ins,” the corporate famous.
“Organizations who’ve positioned their vCenter Servers on networks which can be instantly accessible from the Web […] ought to audit their methods for compromise,” VMware added. “They need to additionally take steps to implement extra perimeter safety controls (firewalls, ACLs, and so forth.) on the administration interfaces of their infrastructure.”
CVE-2021-21985 is the second important vulnerability that VMware has rectified within the vCenter Server. Earlier this February, it resolved a distant code execution vulnerability in a vCenter Server plug-in (CVE-2021-21972) that may very well be abused to run instructions with unrestricted privileges on the underlying working system internet hosting the server.
The fixes for the vCenter flaws additionally come after the corporate patched one other important distant code execution bug in VMware vRealize Enterprise for Cloud (CVE-2021-21984, CVSS rating: 9.8) on account of an unauthorized endpoint that may very well be exploited by a malicious actor with community entry to run arbitrary code on the equipment.
Beforehand, VMware had rolled out updates to remediate multiple flaws in VMware Carbon Black Cloud Workload and vRealize Operations Supervisor options.